PDF malware analysis — malicious · a119af1bc24730b2

MALICIOUS

PDF

69.3 KB Created: 2021-09-25 13:11:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: 3c76b9a6f0f5e9fde1c7ef7da73c1e3e SHA-1: ffe528f1160be686d615b77d959d7369b2da8de0 SHA-256: a119af1bc24730b2df3804204f337b8d404e843eef31d8fb238646cc58ccacce

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample was flagged by ML and ClamAV as malicious, with heuristics indicating it functions as a link farm on disposable hosting. The embedded URLs, despite some being marked benign, point to a pattern of distributing further malicious content. No scripts were extracted, but the PDF structure and URL patterns suggest a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9978

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lee-trading.tw/archive/upload/files/45746448440.pdf In PDF document text
- https://asmitahrgroup.com/ckfinder/userfiles/files/57186346639.pdfIn PDF document text
- https://serpavenger.com/ckfinder/userfiles/files/31742310413.pdfIn PDF document text
- http://ipceurope.eu/assets/file/27203890284.pdfIn PDF document text
- https://hatinhjobs.com/upload/files/32256317671.pdfIn PDF document text
- http://forma8.kz/ckfinder/userfiles/files/zidevu.pdfIn PDF document text
- http://ryyw.com/upload/files/2021/09/202109100558458390.pdfIn PDF document text
- https://ilo.tasksplan.com/userfiles/files/dapovukipowegisonugukuna.pdfIn PDF document text
- https://vresponse.net/userfiles/file/vebowutozo.pdfIn PDF document text
- https://jxlmedu.com/file/files/20210902_235119.pdfIn PDF document text
- http://sibstroiexp.ru/userfiles/file/koxerevijak.pdfIn PDF document text
- https://detskeihriska.eu/ckfinder/userfiles/files/74418827021.pdfIn PDF document text
- http://broadgatecapital.com/userfiles/file/somotozenitifetaguxulegaz.pdfIn PDF document text
- https://www.edmcenter.xyz/ckfinder/userfiles/files/63209383692.pdfIn PDF document text
- http://ymjgolf.com/file_media/file_image/file/25824532249.pdfIn PDF document text
- http://diamant-x.sk/UserFiles/file/nosapovagos.pdfIn PDF document text
- http://kripasec.com/userfiles/file/36977193016.pdfIn PDF document text
- http://xn--b1agpbmdtf.xn--p1ai/upload/file/89695380253.pdfIn PDF document text
- https://www.thic.net/plugin/ce1/ckfinder/userfiles/files/41363009728.pdfIn PDF document text
- http://macautemple.com/userfiles/file/kaluvuk.pdfIn PDF document text
- https://srsatta.com/ckfinder/userfiles/files/titiliba.pdfIn PDF document text
- https://galerie-louise.be/userfiles/files/fedes.pdfIn PDF document text
- http://www.wm-meyer.de/meyer/admin/editor/ckfinder/userfiles/files/2848485305.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=computer+science+10th+class+bookPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b0ea.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB0EA	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off0000c8fc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC8FC	14764 bytes
SHA-256: `958a22d400bc46dfec99f90de5d4deff93372b15940b54bf02a85b8846d60123`
`font_02_sfnt_off0000edec.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDEC	11176 bytes
SHA-256: `90a6e0952d22d6e8831655617ec5c4afba432b3e958a90fae042ad41d7c3a3b8`

Open this report in the interactive analyzer, or submit your own file for analysis.