PDF malware analysis — malicious · 9df7a0c4d2af67ec

MALICIOUS

PDF

77.6 KB Created: 2021-03-17 15:57:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-13

MD5: cde252127c1b1167c54effbc238c405c SHA-1: 8f736e2d4b82aafc07904ff0731c4fefe8672b12 SHA-256: 9df7a0c4d2af67eca44c8445144a04a86c5acd7e2bb5410a700875a1d9e780e1

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to a link farm designed to redirect users. The primary malicious URL identified is 'https://dugedepap.ru/wix?keyword=llws+television+schedule', which is likely used for phishing or to serve a secondary payload. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically related to phishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9956

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dugedepap.ru/wix?keyword=llws+television+schedule PDF link annotation
- https://cdn.sqhk.co/zimidenex/zjihdjj/72084234529.pdfIn PDF document text
- http://zawugudumi.getenjoyment.net/xulowiramexumeburilalobax.pdfIn PDF document text
- https://cdn.sqhk.co/kisasizaro/gczhjhc/3887860619.pdfIn PDF document text
- https://cdn.sqhk.co/wuzexesetaba/v0haEhh/60058742317.pdfIn PDF document text
- https://cdn.sqhk.co/mopewedote/eeYhjb6/begging_you_tik_tok_song.pdfIn PDF document text
- https://cdn.sqhk.co/totarujined/jfgcRme/17520676458.pdfIn PDF document text
- http://mogimetekojubar.scienceontheweb.net/mureso.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_93a2e7804e484cd0896b6e88724b8b5a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b2267465-c972-4cee-bfc8-4e8d808ba952/pujovesom.pdfIn PDF document text
- https://s3.amazonaws.com/bomifabipi/chrome_old_version_for_windows_7.pdfIn PDF document text
- https://s3.amazonaws.com/zonebon/adhe_kangal_songs_tamil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62e74f18-c275-40bd-ae67-5e75427201e8/boy_scout_store_houston_tx.pdfIn PDF document text
- https://s3.amazonaws.com/wanasuvedigo/affirmative_form_verb_can.pdfIn PDF document text
- https://s3.amazonaws.com/falufusu/shoot_em_up_movie_720p.pdfIn PDF document text
- https://s3.amazonaws.com/jiwisigetizoxif/47645723392.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d3180248-91bf-446b-aaf2-ed0a095cb568/26577944737.pdfIn PDF document text
- https://121f8fc1-d270-4171-a721-8ccd656fc20f.filesusr.com/ugd/2ca22b_c4431aa06a244df0bfc5a2f12cb341db.pdf?index=trueIn PDF document text
- https://46d16763-6c5f-4e19-aa2c-3f4071fcbec2.filesusr.com/ugd/26f730_a67ffa638bce4e60aa925d4dc9d2a78c.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/zosevid/real_bout_fatal_fury_special_apk.pdfIn PDF document text
- https://s3.amazonaws.com/dazawojob/riello_oil_burner_wiring_diagram.pdfIn PDF document text
- https://s3.amazonaws.com/xezujuxoz/double_bollinger_bands_trading_strategy.pdfIn PDF document text
- https://s3.amazonaws.com/lizuseguwix/nuzexev.pdfIn PDF document text
- https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_8af659ceac8a417eb1cb8b7c5fa7e7c4.pdf?index=trueIn PDF document text
- https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_ff0d05b087684f4db9f5f4745b7b9d37.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/lekelepowo/17403374479.pdfIn PDF document text
- http://jasesazolaf.myartsonline.com/vaxojolowometadutebura.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/37249490-70b1-4c8b-9ca9-84d4abd967a9/pilibe.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f348.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF348	4812 bytes
SHA-256: `88a0f83d52d0fcdb636c8d0cb627a974a1c20fa084e6c9da31d8b6c9437431ea`
`font_01_sfnt_off000103be.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x103BE	10944 bytes
SHA-256: `298d22f0675970578d00c801b87630ad7a634aaeca9a22b5bd529be23fd3cfe9`

Open this report in the interactive analyzer, or submit your own file for analysis.