PDF malware analysis — malicious · a2bcb652e89ab21c

MALICIOUS

PDF

85.5 KB Created: 2021-03-10 06:41:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ad620c31363a243c186d0f25c9ecff75 SHA-1: 1f4d4f671c4a25a74fb99f99d870a001af482f27 SHA-256: a2bcb652e89ab21cfa27cea1b09675f1f27330f362a2e5ed262604cad8ff56aa

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to manipulate search engine results or redirect users to potentially harmful sites. The ClamAV detection and ML classifier also indicate maliciousness, specifically flagging it as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs point towards a phishing or malicious redirection attack, likely delivered as a spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/award?keyword=mekanisme+asidosis+metabolik+pdf
- https://kenozojuxezo.weebly.com/uploads/1/3/2/6/132695381/8986674.pdf
- https://surugodinatuv.weebly.com/uploads/1/3/4/8/134861851/c8514c7821ae0.pdf
- https://luketekovagitor.weebly.com/uploads/1/3/4/2/134236109/5591129.pdf
- https://zupawifotifawe.weebly.com/uploads/1/3/4/4/134480263/5782386.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://8d5bcf17-53f2-4f21-b585-7a27aef14131.filesusr.com/ugd/7baf93_26244156567b458c8e877353d99b8758.pdf?index=true
- https://ffb80149-315c-4936-8637-e87477b606fc.filesusr.com/ugd/e7410d_c28ff599c80a41cc802d846d3ce9f3e9.pdf?index=true
- https://1a9cd40a-f0d6-44d4-a143-19288280ca2b.filesusr.com/ugd/7a13df_0c75508b90884611b52a5806493961eb.pdf?index=true
- https://0f7a2101-273c-4f7f-b1fd-079d1ad923c1.filesusr.com/ugd/a7ea6f_1b6e36df5a5a4d4fa461a864d28c20f6.pdf?index=true
- https://afa032df-bfad-47da-a9c8-c79260182993.filesusr.com/ugd/6f9b04_4c7a6fe41d70404089dc1ea5d594241b.pdf?index=true
- https://uploads.strikinglycdn.com/files/61cfdf04-bb2e-4395-8545-056d7949d098/sisor.pdf
- https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_c53eca8c35674480b58fd84eef8f91ce.pdf?index=true
- https://uploads.strikinglycdn.com/files/4497e599-b3b2-40a9-882a-b11e25d57c54/math_worksheets_for_first_grade_addition_and_subtraction.pdf
- https://63b1f34b-4847-450f-8d9a-4788d10e1cf5.filesusr.com/ugd/451a43_e65c95306fdc4747a295ec6bf02fb5e7.pdf?index=true
- https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_3825ae9ec6c949a6b61a87d947c45469.pdf?index=true
- https://1ac5d900-0c69-4f12-8b1d-4e209472b8d2.filesusr.com/ugd/828753_898d4cfdf1004df8a90d609806121557.pdf?index=true
- https://uploads.strikinglycdn.com/files/db5cdd38-5a6d-4526-b437-239ad375192f/how_to_lose_belly_fat_with_exercise_bike.pdf
- https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_a83a8c569e7d43cc8b798dbb866e0de5.pdf?index=true
- https://6fd4412c-3e6e-4f21-a9af-8137ffc6c0d9.filesusr.com/ugd/03469c_c25d3411f82647b880c77999535f8210.pdf?index=true
- https://80c93ba6-74df-4afb-9852-3a83eaba20e3.filesusr.com/ugd/4cf28d_2e7e804ad0c449d58cb3656965be2f0b.pdf?index=true
- https://s3.amazonaws.com/kotidox/is_a_battery_tender_the_same_as_a_battery_maintainer.pdf
- https://s3.amazonaws.com/mutirexa/rugup.pdf
- https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_eb773c9049374425893e59ed26e599f8.pdf?index=true
- https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_88afc2d77c99475e85f61056881a7884.pdf?index=true
- https://4ef57e19-9a2e-4e6f-a444-f6b59f982a39.filesusr.com/ugd/4c1554_2cf42a17c9a4445f8a5f0164df292c78.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fd91.bin` `b6d45e66c7bdeab6fd3ea3f499c63db56cfc173d667f8d7adacb1964713df781`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD91	5300 bytes
`font_01_sfnt_off00010f91.bin` `33fd8f523d64c67a7e2235bb1de9683bea5cfa03c72d762c2faade7a1c73078a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10F91	10252 bytes
`font_02_sfnt_off000132da.bin` `333c6b7950143ef5b768b9d621755905cb9f9f437be433e332b6baa8edb2b5fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x132DA	16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.