PDF malware analysis — malicious · 8a8cca2af519b2e8

MALICIOUS

PDF

77.6 KB Created: 2021-03-28 14:52:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22

MD5: 4a76f953b90bf0e629b0394302524e66 SHA-1: f889a193d168a7836e46d0b116a6485001dd449c SHA-256: 8a8cca2af519b2e8c1f88ba5cb0e7bc97360861a784cb1e77d3c9ff697da9441

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, many pointing to disposable hosting services, indicating a link farm or SEO manipulation scheme. The presence of a 'utm_term' parameter in one of the URLs suggests a potential phishing or malicious advertising context.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/strik?utm_term=dell+e7450+keyboard+not+responding PDF link annotation
- https://wezenazuzive.weebly.com/uploads/1/3/4/7/134764498/d0974c254b510c5.pdfIn PDF document text
- https://zizusufake.weebly.com/uploads/1/3/4/6/134646877/lerepisubijik.pdfIn PDF document text
- http://zinuvudoliku.iblogger.org/95219604086.pdfIn PDF document text
- https://cdn.sqhk.co/zokirafuka/4u4hebx/wulilif.pdfIn PDF document text
- http://feyakast.online/36545910725a6ecs.pdfIn PDF document text
- http://regse.website/44068850960cuiyf.pdfIn PDF document text
- https://zozijopese.weebly.com/uploads/1/3/3/9/133997316/75577.pdfIn PDF document text
- http://invitesistem.ru/bi-_84_application_formmdaqo.pdfIn PDF document text
- https://cdn.sqhk.co/beditakadiga/qnghgj8/numberblocks_hide_and_seek_mod_apk.pdfIn PDF document text
- http://airet.space/15713262026oddam.pdfIn PDF document text
- http://useplafond.xyz/ethical_hacker_salary_in_usmideq.pdfIn PDF document text
- http://balewezekowesab.iblogger.org/bioassay_principle.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://189c2d36-84ff-4b81-9465-96c33c1d3b91.filesusr.com/ugd/35ddae_f361bc39ca8444e1a2237c91250171c9.pdf?index=trueIn PDF document text
- http://ramozan.epizy.com/49783415864.pdfIn PDF document text
- https://de2ee6d5-caaa-4265-b15c-40100ab77d99.filesusr.com/ugd/d43733_9ebddd5c8666434a960ae460bf81f658.pdf?index=trueIn PDF document text
- https://7893bdd6-41e4-48f6-9953-3a636dfb5d61.filesusr.com/ugd/c5c63b_8882554c52be42c4975185a6d00a4d90.pdf?index=trueIn PDF document text
- https://f2d828cf-06d9-46ea-85af-d88b0bc20d44.filesusr.com/ugd/501a20_8b852e9dffbd48eaa5e6d69cf1104c03.pdf?index=trueIn PDF document text
- https://35548484-ce42-4b18-9d9d-834326683263.filesusr.com/ugd/a221b6_c5733bad97fc46fea4f58613a2dc0030.pdf?index=trueIn PDF document text
- https://b3a8b944-ddec-4d17-9b53-5a1c05c66d8c.filesusr.com/ugd/314503_5c56711edc5a411b973c7e74d4339650.pdf?index=trueIn PDF document text
- http://depufidudonap.epizy.com/sidanuviralanukolabero.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ef10.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEF10	5868 bytes
SHA-256: `0db02e6be1b0f2305a71c5509a4d2241222fc6c2f2be52884ebc868fce583759`
`font_01_sfnt_off00010331.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10331	11156 bytes
SHA-256: `177e84e0e256fd96075f6e51fa8d19a4890956a4aabe2aa2e4a6b644b8c4a750`

Open this report in the interactive analyzer, or submit your own file for analysis.