PDF malware analysis — malicious · 99ad5111014795da

MALICIOUS

PDF

75.7 KB Created: 2021-05-07 11:00:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20

MD5: 8ffa6eb1314cb296bda8b0162a54c699 SHA-1: 26999a3e91f3361ba38f2fd80b8f713710271246 SHA-256: 99ad5111014795dacfa56232a02748b8fe5aaae3992f42371bb5cf36c14032bb

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs and is flagged by heuristics as a link farm and a malicious PDF. The primary URL, 'https://gimoguvi.ru/strik?utm_term=are+tecumseh+engines+any+good', suggests a lure to a potentially malicious site. While no scripts were extracted, the PDF structure and URL analysis strongly indicate a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9960

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gimoguvi.ru/strik?utm_term=are+tecumseh+engines+any+good PDF link annotation
- https://static.s123-cdn-static.com/uploads/4423155/normal_60004ff632514.pdfIn PDF document text
- https://cdn.sqhk.co/zisiribamen/jarjjcx/action_plan_document_template.pdfIn PDF document text
- http://reduslim-sito.site/ensayo_de_fatiga_conclusion261p2.pdfIn PDF document text
- http://d-youtube.com/how_to_make_bulletproof_coffee_dave_aspreyas2wc.pdfIn PDF document text
- https://cdn.sqhk.co/datolabevev/bJhhge1/nolekedokozikikigivaj.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481156/normal_601b003370854.pdfIn PDF document text
- http://rodina38.ru/dsssb_answer_key_2_175jr18.pdfIn PDF document text
- http://lnstagramcentre.net/zodomezotudamixupknzme.pdfIn PDF document text
- https://cdn.sqhk.co/guranotup/fWgShdc/basketball_goal_in_ground_sleeve.pdfIn PDF document text
- http://reactivaperu-2020.com/emergency_room_doctor_education_requirementsi8agz.pdfIn PDF document text
- https://cdn.sqhk.co/wumidimux/ficgeWO/25019605755.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4383915/normal_5fcf993d53b3f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4374369/normal_5fdd44e09560e.pdfIn PDF document text
- https://cdn.sqhk.co/razilipot/aN3hdjh/36462410881.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4496582/normal_60297ac472442.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://df9240ce-57b4-430e-a582-521170ca5232.filesusr.com/ugd/10b03a_7751295a74bc4da483dff093d678b2a1.pdf?index=trueIn PDF document text
- http://wimofulun.rf.gd/wiwizuwax.pdfIn PDF document text
- http://galiwasik.rf.gd/barcarolle_cello_sheet_music.pdfIn PDF document text
- https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_0c032b97c7174a70aa539571e165848c.pdf?index=trueIn PDF document text
- https://63d876aa-455f-4c41-9c38-50747f3e0b95.filesusr.com/ugd/a220d5_0b9dc9ca023c45088e91d4739f27ecea.pdf?index=trueIn PDF document text
- https://66f9c2bc-82a6-463d-9ccd-9c94d3d8805e.filesusr.com/ugd/b361c6_fd647ca48ff54bb1890a104a70ac6ac1.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vovabagubajegeb/how_to_get_ssa-1099_for_deceased_parent.pdfIn PDF document text
- https://s3.amazonaws.com/jobavo/93109502276.pdfIn PDF document text
- https://s3.amazonaws.com/safago/cryptocurrency_exchange_platform_list.pdfIn PDF document text
- https://s3.amazonaws.com/zoromexemuzid/sovodu.pdfIn PDF document text
- https://s3.amazonaws.com/fipijife/rudoved.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e9be.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE9BE	5412 bytes
SHA-256: `61d4e7068bae2fe7287409ebd369228f4b7f6cb1faa3074e4b698d63fc4db965`
`font_01_sfnt_off0000fc04.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFC04	11736 bytes
SHA-256: `211ae9ab9cd803d17cbe6ca3edd7a713bd3b31cde1d74b3a331192e06ef6c62c`

Open this report in the interactive analyzer, or submit your own file for analysis.