PDF malware analysis — malicious · 7fcec40b8371a3db

MALICIOUS

PDF

108.6 KB Created: 2021-03-18 22:43:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17

MD5: 69972609e0fb7c8820e87cec859350b4 SHA-1: f009bc1ee663befbfabae775ea18d59ec32da967 SHA-256: 7fcec40b8371a3db8a1a62871935c280d0dfb50589e649469ad336bf8f5f0e8c

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan distribution attempt. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious content. The document body, though heavily obfuscated, appears to be a lure related to 'cognitive behavioral therapy manual pdf'.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/award?keyword=cognitive+behavioral+therapy+manual+pdf PDF link annotation
- http://zefefiwova.medianewsonline.com/c_programming_language_tutorial_for_beginners.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367297/normal_604d2c3e453e8.pdfIn PDF document text
- https://zunelejodimoje.weebly.com/uploads/1/3/4/5/134526095/b2152.pdfIn PDF document text
- https://vomenipof.weebly.com/uploads/1/3/4/5/134585177/2969061.pdfIn PDF document text
- https://nezuvaju.weebly.com/uploads/1/3/0/9/130969963/3738451.pdfIn PDF document text
- https://xufodikufidu.weebly.com/uploads/1/3/5/3/135382923/sugiravur-kezosorumazijix-mikirupulijo-mimeruzisa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4529977/normal_6031c1a3eb170.pdfIn PDF document text
- https://ripukalogud.weebly.com/uploads/1/3/4/3/134391837/898ea5d01ecc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376857/normal_60276069a4625.pdfIn PDF document text
- https://sixutaxujarupi.weebly.com/uploads/1/3/4/8/134882582/4086411.pdfIn PDF document text
- http://pakunobun.getenjoyment.net/51026647854.pdfIn PDF document text
- https://bukenazupe.weebly.com/uploads/1/3/4/5/134584610/512288494cee5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411511/normal_604b82f4e9f8a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4471095/normal_60502e74e98f7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/pivetuzadujo/82084110361.pdfIn PDF document text
- http://fuvarijes.atwebpages.com/97067011337.pdfIn PDF document text
- https://5e54d98c-4257-4cc7-9010-48f3df296eb2.filesusr.com/ugd/05240c_c997668e362b401c9696267b6eda3b6b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/kavifunaruvi/tojudaf.pdfIn PDF document text
- https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_87fb3331b2d3421f891ed0d65834c594.pdf?index=trueIn PDF document text
- http://jokosen.atwebpages.com/fundamentals_of_english_grammar_5th_edition.pdfIn PDF document text
- http://riledabetime.myartsonline.com/format_file_adalah.pdfIn PDF document text
- https://s3.amazonaws.com/norozovijalu/tozizoxubawajefulazepod.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00016ad8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16AD8	5484 bytes
SHA-256: `ee05e2e39a3b43ff8ead958327e8d73ab4ff42c2a53d14199273e913e35500d2`
`font_01_sfnt_off00017d63.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17D63	11552 bytes
SHA-256: `09891a027a84ee06de9b7f05ce2f924625861e48d17932240ab558525eda6d98`

Open this report in the interactive analyzer, or submit your own file for analysis.