PDF malware analysis — malicious · 98251ad8ab665b8e

MALICIOUS

PDF

76.4 KB Created: 2021-03-28 11:00:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ce28e8efd5195144c7635d117cf2bdd8 SHA-1: bdfc0454e6776f188e24503cb8501ac8d23ee248 SHA-256: 98251ad8ab665b8e79b0e60c1b0d34fa4eb45b5c752ff7a3d5afbf6ff97c36aa

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link farm with numerous external links, many pointing to disposable hosting, suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier flagging indicate malicious content, likely phishing or a trojan downloader. The embedded URL and the document body's deceptive content about fixing a coffee machine support a phishing or scamming attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/strik?utm_term=how+to+fix+clogged+coffee+machine
- https://xajerunufunofe.weebly.com/uploads/1/3/1/3/131378991/botoxax.pdf
- https://nixixufusolawig.weebly.com/uploads/1/3/4/8/134882604/83743.pdf
- https://nabivedoki.weebly.com/uploads/1/3/1/4/131407492/temedoda-kutezagelitodu-jitotugateguki.pdf
- https://vemegerefawobe.weebly.com/uploads/1/3/2/6/132682093/0b12bacaa5d4cf.pdf
- https://divoguwobumiwes.weebly.com/uploads/1/3/4/4/134487338/5465498.pdf
- https://cdn.sqhk.co/nisisepolo/jRU1aiv/27015352149.pdf
- https://tawafijagipuju.weebly.com/uploads/1/3/4/6/134684871/databulusisumazomap.pdf
- https://fuzimisadu.weebly.com/uploads/1/3/5/3/135319831/virovibodezivajud.pdf
- https://sinuvuliwazima.weebly.com/uploads/1/3/1/8/131871572/bojisu-vasikuxemipavu-vonojero.pdf
- https://rukadewij.weebly.com/uploads/1/3/4/0/134012321/7098597.pdf
- https://belibezininu.weebly.com/uploads/1/3/4/8/134850089/7c78b6c800c.pdf
- https://minaraxu.weebly.com/uploads/1/3/4/7/134765114/zekejige.pdf
- https://kuledeju.weebly.com/uploads/1/3/0/7/130775905/zubuvonom.pdf
- https://semetipakes.weebly.com/uploads/1/3/0/7/130775831/zulinepizujufi.pdf
- https://cdn.sqhk.co/jagugide/geoidjj/art_history_masters_programs.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://14535e1a-360a-4d01-a655-fa33e115c80e.filesusr.com/ugd/b222ea_a9bc9db520774f46baa29946340bbd26.pdf?index=true
- https://66f9544f-8325-470d-a543-c07714603334.filesusr.com/ugd/4b2642_4440715abc6c471a968a91b9ff73b222.pdf?index=true
- https://2a497570-3881-454f-aefc-229a18bbdf22.filesusr.com/ugd/83e24f_96e9363c0a904f4eb041d2a7a4ffcab2.pdf?index=true
- https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_d56e773f82c642cc807bf12b80285f0d.pdf?index=true
- https://2061f665-9309-41a6-981d-137229ee7e60.filesusr.com/ugd/eb2fe6_bf810912979c45a99d65bc90bf6783bd.pdf?index=true
- https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_32226596beb2447ab773d7657ef0e576.pdf?index=true
- https://012a8781-80b6-4d33-8f63-56d56ef93f15.filesusr.com/ugd/6d3794_bd842d05baf3450c920805b64b1e5df8.pdf?index=true
- https://3a0d5408-2ea1-4258-8d29-5d96341cad2c.filesusr.com/ugd/79cb75_ec8c9f72546f45fbbd20371ef2ba7fc7.pdf?index=true
- https://6c9aa500-f8d9-42a6-b8a4-5b3c562bbfc3.filesusr.com/ugd/543886_61ec0823cddd488d9f7e0f27ba854c8a.pdf?index=true
- https://c1e70603-6ca1-47bc-880b-b60d7d434995.filesusr.com/ugd/df625d_0a8f300e3c5e49fc85bffe00a8a426af.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eebc.bin` `d29ff4d0e09120230cd73549e5bd5e31a7930e42e9e7bdb9f1950b1c95e7fc38`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEEBC	5284 bytes
`font_01_sfnt_off000100a4.bin` `1705ba4be22e882e675f738c9fcb1c37d4b1c07561583dc7644a877a74cf8e78`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100A4	10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.