PDF malware analysis — malicious · 91a44359b60325a7

MALICIOUS

PDF

73.6 KB Created: 2021-04-06 23:29:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 20e88b111834c8c551c354161dbf5b89 SHA-1: 7aef909ff11f8e8cb84db7110da5acd9099b6dd3 SHA-256: 91a44359b60325a7b637fef54c65d220cc9a5332912a494cbcd077fc84bf83f7

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many pointing to potentially malicious domains, indicating a link farm or phishing lure. The heuristic PDF_SEO_LINK_FARM and PDF_URI firings strongly suggest this intent. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to redirect users to harmful content.

Machine Learning

Nyx PDF Classifier malicious score 0.9739

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/award?keyword=bohat%25C3%25BD+t%25C3%25A1ta+chud%25C3%25BD+t%25C3%25A1ta+pdf+ulozto
- http://mx50off.pro/771513361854ft9c.pdf
- http://rodsfish.club/luxamapelada7v22w.pdf
- http://nitapida.mywebcommunity.org/mbr_membrane_bioreactor.pdf
- http://youtube-subscribes.com/vidudewo5c7d.pdf
- http://agent-ritual495.online/frozen_cartoon_songs_download_mp3s8c2c.pdf
- http://all-casino.xyz/67058357878dybyy.pdf
- http://kerosijuvibeg.scienceontheweb.net/introduction_to_geographic_information_systems_8th_edition_free_download.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/kosipefojaw/fifa_world_cup_song.pdf
- https://s3.amazonaws.com/nosepevozux/georgia_guidestones_address_for_gps.pdf
- https://uploads.strikinglycdn.com/files/108a9967-ff74-42e9-8bef-206fcd73ae39/90016375336.pdf
- https://s3.amazonaws.com/tubukeganuji/82945696761.pdf
- https://dfa52777-3edb-460f-9b14-ca5101cd4ecc.filesusr.com/ugd/5360f8_a8c040f967c64e2fb0b9230d3b181dee.pdf?index=true
- https://1f2f8e77-98df-4c5e-b88a-83bc2b612b58.filesusr.com/ugd/5c7528_cf057849925b4c1bb6cd0a758126131a.pdf?index=true
- https://uploads.strikinglycdn.com/files/ebdc8dba-aeb7-456e-a839-f3a44b004918/89697830229.pdf
- https://uploads.strikinglycdn.com/files/74ffd0d7-97f3-4701-aa86-db2b18b36be8/mukugakufinuvedowo.pdf
- https://s3.amazonaws.com/rebesudanolo/latest_news_about_lockdown_in_india_extension.pdf
- https://s3.amazonaws.com/rikolesafuwofar/zorapemizeni.pdf
- https://75cc4b12-69da-4024-8422-75f9303faa99.filesusr.com/ugd/d6c222_fed637d4570d465cbb014484d7562ecf.pdf?index=true
- https://s3.amazonaws.com/nowokil/fisomipanabofama.pdf
- http://kepawomokatuke.myartsonline.com/how_to_prepare_for_physics_exam_class_11.pdf
- https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_0865b8f136684a00800a8bdfae764bba.pdf?index=true
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f941.bin` `c2aa3f2fd44860be504c361331f5a89b1b5a2c47de7a1966b7dbbe28f2b3248a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF941	5428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.