PDF malware analysis — malicious · 8faaf449055b5606

MALICIOUS

PDF

71.0 KB Created: 2021-06-11 19:31:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: fe3400000fbb6af61c0e67f8def977d6 SHA-1: 0ad95520145d2e4ea3a58c5292ef42a357b53c04 SHA-256: 8faaf449055b5606b93c3164f2c7e2e3b6b595460d04a8f9f3cb2965cbfd6337

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO spam operation. One of the primary URLs, https://nomylo.ru/pbw?utm_term=mi9t+pro+vs+poco+f2+pro, is likely part of this scheme to drive traffic or phish users.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nomylo.ru/pbw?utm_term=mi9t+pro+vs+poco+f2+pro PDF link annotation
- https://cdn-cms.f-static.net/uploads/4377678/normal_605117ea43f53.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379355/normal_602577da058d9.pdfIn PDF document text
- https://senuwisaf.weebly.com/uploads/1/3/4/0/134018119/7425372.pdfIn PDF document text
- https://vagapirub.weebly.com/uploads/1/3/4/6/134648019/03f3791.pdfIn PDF document text
- https://saguwaxofules.weebly.com/uploads/1/3/2/6/132681351/69efe.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e432611d-c615-4d90-8b2b-6e1274b3822e/c_programming_basic_concepts_in_hindi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7dfb3ad1-eab3-4688-92be-9c20e6ca9c86/www_igbo_catholic_hymns_mp3_download_com.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b148d4a-89c4-4afe-acb9-55cf3d2746e6/12944150970.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4c5e5c6-e30c-45cf-a143-1e6114474316/abraham_lincolns_plan_for_reconstruction.pdfIn PDF document text
- http://negovijalulu.pbworks.com/w/file/fetch/144418464/cest_si_bon_bakery_locations.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/acb08281-e0b2-415b-92d5-8b1a7c302f53/92087791127.pdfIn PDF document text
- http://viluxese.pbworks.com/w/file/fetch/144686784/torepogovolunizanonege.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ea6d29b8-b209-4868-81bf-0180bbf52a08/6621413126.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64f13d08-753a-4342-aa55-6309506e17b9/41557090520.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6bd37743-b68c-45e6-9962-b63345e274ac/kovukimiredozonenowin.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/83959b4a-06e2-4578-908c-7696e9195298/16042321905.pdfIn PDF document text
- http://lulimogosan.pbworks.com/f/13743563616.pdfIn PDF document text
- http://kawawuvaken.pbworks.com/f/lupodosaxefuwatatorubotu.pdfIn PDF document text
- http://xosezoranad.pbworks.com/w/file/fetch/144780231/4741457861.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d55f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD55F	5120 bytes
SHA-256: `a5a26bf6f998c14f973cf7360677bedbbe617388fda956ae5f5218e4812d0145`
`font_01_sfnt_off0000e6f8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE6F8	13156 bytes
SHA-256: `16046d2589612ad9874cac186ad705ab3e160d0675672179fed6a02a99409d57`

Open this report in the interactive analyzer, or submit your own file for analysis.