PDF malware analysis — malicious · 7b7dca30d557306a

MALICIOUS

PDF

71.5 KB Created: 2021-03-15 23:47:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20

MD5: 7d5b46bc98cc0c004d5e610a1cf3b582 SHA-1: 8eb593fe078243d9e07c61b1f94cb318a47cc986 SHA-256: 7b7dca30d557306ae77ced58c8f9a4f2f33790156fddb8e9953cbacdfd8979e7

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, with ClamAV detecting it as Pdf.Phishing.Trojan. The file contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to various content, including potentially harmful downloads like an 'android apk'. The presence of embedded URLs and the overall structure indicate a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/wix?keyword=duck+hunt+android+apk+download PDF link annotation
- https://foxenaduro.weebly.com/uploads/1/3/1/1/131164157/4634438.pdfIn PDF document text
- https://cdn.sqhk.co/jomonufo/cDqW30N/vitarikutirazokijufad.pdfIn PDF document text
- https://zodefamebatum.weebly.com/uploads/1/3/5/9/135967531/eed458d16f7.pdfIn PDF document text
- https://xojajulu.weebly.com/uploads/1/3/1/3/131382271/23b3ed43e2b5.pdfIn PDF document text
- https://xosebabonewita.weebly.com/uploads/1/3/4/6/134613761/xukulabiga.pdfIn PDF document text
- https://cdn.sqhk.co/kulizuxekume/0aA14N5/ribotitedamiviz.pdfIn PDF document text
- https://bilewemebit.weebly.com/uploads/1/3/5/9/135964156/71e3d07df906bcf.pdfIn PDF document text
- https://cdn.sqhk.co/tudusiki/iIMF6jg/avatar_game_keygen.pdfIn PDF document text
- https://xovoxabazilepot.weebly.com/uploads/1/3/6/0/136054719/judaguv.pdfIn PDF document text
- https://feziriwavejoli.weebly.com/uploads/1/3/4/0/134096108/9fdde9f77.pdfIn PDF document text
- https://cdn.sqhk.co/denepepunuja/jhPjiry/74231038243.pdfIn PDF document text
- http://masotobu.iblogger.org/vufopaxu.pdfIn PDF document text
- https://mogewojelepa.weebly.com/uploads/1/3/4/6/134681452/vuwinefigir.pdfIn PDF document text
- https://safalijig.weebly.com/uploads/1/3/1/0/131070993/d2721c87664080.pdfIn PDF document text
- https://didegesub.weebly.com/uploads/1/3/2/6/132681352/waduvug.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tiwadelir.rf.gd/abdominal_workout_routine.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c70d4a0b-196c-4123-8dcb-2d4cffb89710/73623238560.pdfIn PDF document text
- http://xorikija.epizy.com/70421132253.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/37b8c9ef-c777-40fc-a8ad-1d34f0028df0/three_tier_architecture_data_warehouse.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d8fa.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8FA	5136 bytes
SHA-256: `efa661a051364b93f63edf1f3928f35b0a9c05c60d17e4bacbf330e8af2b0d8c`
`font_01_sfnt_off0000ea8a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA8A	10732 bytes
SHA-256: `c97689ff1cdc4d662bee5009c3417c790c2bba55a3437584750cc2c0cc43d119`

Open this report in the interactive analyzer, or submit your own file for analysis.