PDF malware analysis — malicious · 94da0968abdf1e1b

MALICIOUS

PDF

118.6 KB Created: 2021-04-29 23:32:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a505288ac54efff90ce7ee9f058faec8 SHA-1: 790b7e37881461784e3da9bd3fdce833c5e1d419 SHA-256: 94da0968abdf1e1bb939ff738d94a339fe5350330457ac06d0f3b245d6055323

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, suggesting a phishing or SEO spam campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and numerous external URLs point towards a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9981

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/strik?utm_term=metal+gear+solid+2+walkthrough+pdf
- https://cdn.sqhk.co/biwopeka/U5jhiiz/81322372611.pdf
- https://cdn.sqhk.co/genizataxom/7qheidj/daluniwutadamuxesexu.pdf
- https://cdn.sqhk.co/losomilodip/2hggjaZ/57916993928.pdf
- https://cdn.sqhk.co/solijisivono/1DXhaig/naval_special_warfare_officer_requirements.pdf
- https://cdn.sqhk.co/zevijevam/gdiiqhb/rowugoxil.pdf
- https://cdn.sqhk.co/kukisigafumi/OgeEhe0/ding_dong_short_video_appendices.pdf
- https://cdn.sqhk.co/podidiwi/5FyoAVW/39772504269.pdf
- https://cdn.sqhk.co/womilepeba/uNghr0m/kick_the_buddy_forever_game_download.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://ac685e6e-6442-44c0-91a1-b3a367e79ef2.filesusr.com/ugd/ce77c6_fc4daba66edd4e6c91535ba103057124.pdf?index=true
- https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_8fe27b9d8bc74185a99f4ae12380a590.pdf?index=true
- https://uploads.strikinglycdn.com/files/2afcf1e2-8a3f-4491-84f7-6bd3b3abe047/is_taco_bell_menu_all_day.pdf
- https://s3.amazonaws.com/mefonevimimix/64464507852.pdf
- https://uploads.strikinglycdn.com/files/acc342f4-88fc-45d4-abb4-b70291c15254/what_is_another_word_for_these_days.pdf
- https://s3.amazonaws.com/farefasejikap/pojadiwijovekowudot.pdf
- https://uploads.strikinglycdn.com/files/6a53229f-fd0e-467c-8871-73c6c6014c84/kesukekefizulisukixuwi.pdf
- https://uploads.strikinglycdn.com/files/1d2dfc56-917c-4305-a8da-1fa447d0f853/ruxavamojaxav.pdf
- https://s3.amazonaws.com/dugibabafod/bonanza_satrangi_size_guide.pdf
- https://4095172d-bd2f-4181-91d7-dd424e653400.filesusr.com/ugd/df73ab_366d336e9ba645dbbcf8420936b88ef6.pdf?index=true
- https://uploads.strikinglycdn.com/files/94393157-90cb-4a26-981a-ebba8f55730b/insinkerator_badger_5xl_dimensions.pdf
- https://s3.amazonaws.com/pusolefosex/erp_implementation_guide.pdf
- https://uploads.strikinglycdn.com/files/88210ca5-9afa-4a37-a53c-99ea9454fab8/fipizepetelez.pdf
- https://uploads.strikinglycdn.com/files/2595186e-17b4-4c40-9ace-90914c58d351/gabajede.pdf
- https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_51971f08eda348918bae96349c363a06.pdf?index=true
- https://s3.amazonaws.com/woxorojero/vupebafisutebubiguwuv.pdf
- https://uploads.strikinglycdn.com/files/acb3e291-3e6b-4911-a29a-06b42c3a1eef/how_to_use_pt_performance_tool_w2977.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00014855.bin` `db3d09a0178c9dc4c0426b2ea8f0663c95956e540fee6bd58b93e0ab618a1a46`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14855	16116 bytes
`font_01_sfnt_off00017cc0.bin` `b64bdb95232422f8e2749a089f947a090b2604bd6c571918af5824ec4e30ce1e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17CC0	5596 bytes
`font_02_sfnt_off00018fe8.bin` `723448ef8408c87a43d5855807d1ead51fbc9f5557cc19411f8cfdd84d2e89f0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18FE8	11920 bytes
`font_03_sfnt_off0001b724.bin` `25a5e6c7c9cd73e1730f271d334b71b3c0ac6385951e3737251623a68d8eef5c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B724	16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.