PDF malware analysis — malicious · 86b6adf5a61ee0ee

MALICIOUS

PDF

75.4 KB Created: 2021-04-09 18:48:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: 18244ce79ba75e2401d271955d342bbd SHA-1: d28400030233ca42d3fd7dbf8a5808f5e1cd3d8d SHA-256: 86b6adf5a61ee0ee92bdf128225f3cb9785ed6b5dbdbf43b8224c27da612d721

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document functions as a link farm, directing users to numerous external URLs under the guise of search results. The presence of multiple PDF link farm heuristics and a high ML classifier score indicates malicious intent, likely to drive traffic to potentially malicious or phishing sites. No scripts were extracted, but the document's structure and URL distribution strongly suggest a phishing or traffic-driving campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/strik?utm_term=what+is+the+appraisal+process PDF link annotation
- http://smartcoin.design/15111380834qzu2.pdfIn PDF document text
- https://cdn.sqhk.co/tamupoto/aRj3hap/88138696077.pdfIn PDF document text
- http://sodahq.pro/4667456468886kql.pdfIn PDF document text
- https://jowidizikut.weebly.com/uploads/1/3/0/8/130874332/zufufarixutik.pdfIn PDF document text
- https://tulijibukabez.weebly.com/uploads/1/3/0/8/130814483/levolasinuwozawubes.pdfIn PDF document text
- https://cdn.sqhk.co/zezoxomop/3hchiiE/one_good_turn_quotes.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4497372/normal_6008ac849db43.pdfIn PDF document text
- https://cdn.sqhk.co/jufenakajo/ifkidNI/tibolemuwa.pdfIn PDF document text
- https://kumeboxisadinur.weebly.com/uploads/1/3/4/6/134684257/valolewu.pdfIn PDF document text
- http://acupofjacob.com/38457354956a7soh.pdfIn PDF document text
- http://wejnpowk.space/skillful_reading_and_writing_3_teacher_s_book_downloadte8l0.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4426960/normal_5ff65a7c22406.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://5f8b0e40-2141-4341-98ab-6145db4b8156.filesusr.com/ugd/2072cd_1388c20b5cfe4adc9d79694b4ffd8bb4.pdf?index=trueIn PDF document text
- https://1fa67a36-2e8b-44cc-a955-751d80433762.filesusr.com/ugd/d85e51_9a1d0ff41cb349f2ade106deda9c2e30.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6f64ee79-71cc-4a4f-816a-04ea3a115cdd/driver_stampante_samsung_scx_4623f_free_download.pdfIn PDF document text
- https://6c892e0d-5736-4b4a-96a3-cd490fd1fe3d.filesusr.com/ugd/1407cd_2cd294093d0145c5add71294717223c4.pdf?index=trueIn PDF document text
- https://94aa8f26-b07a-4c24-bdb4-4112657565c9.filesusr.com/ugd/37428b_43a8392d5c534193a5ed25a60e2fc0a9.pdf?index=trueIn PDF document text
- https://ee6e56e8-c390-49d2-810b-d4defef8b9c1.filesusr.com/ugd/eda187_1a7a3e8e5b54484387653da889d6787e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/98a28a04-cbdb-4369-b6db-adc1e94de853/descargar_software_line_6_pod_xt_live_drivers.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eb40.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB40	5032 bytes
SHA-256: `a7fe9500b8044cb8841d547e75e1c344484555d820754a393e57a4fe6574d3f4`
`font_01_sfnt_off0000fc67.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFC67	10552 bytes
SHA-256: `2ada65c698c77abe99bedad17f14031b5687be0d6e128481ee7bc954f7056c12`

Open this report in the interactive analyzer, or submit your own file for analysis.