PDF malware analysis — malicious · a6065d7c5daffb43

MALICIOUS

PDF

93.8 KB Created: 2021-05-28 07:24:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: faa625816e9eef7f92eaa2cfdbeba2a9 SHA-1: d68989f548fcfe74a2c542b945b33440ee93a6e4 SHA-256: a6065d7c5daffb4385d66a3793e9315200a23162e90f456771a163c0e67c63dc

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking documents, but one prominent URL points to a malicious domain. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may be attempting to trick the user into downloading an encrypted payload, which is a common tactic for malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9973

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://mezovuduw.ru/strik?utm_term=pokemon+x+and+y+nintendo+3ds+emulator+download
- https://jaroxifapo.weebly.com/uploads/1/3/1/6/131636664/7672002.pdf
- https://rojobasexadef.weebly.com/uploads/1/3/2/7/132711954/logexivuxokije.pdf
- https://zudumatiwa.weebly.com/uploads/1/3/0/8/130873708/9450548.pdf
- https://static.s123-cdn-static.com/uploads/4475215/normal_5ff7d9adddae3.pdf
- https://fokifukamanur.weebly.com/uploads/1/3/0/8/130874497/sovip-wobabuzoti-dulavubexemis.pdf
- https://pujezifug.weebly.com/uploads/1/3/0/7/130738771/pamajarumevu_wikumobuwev_nijafinuzuwu.pdf
- https://fitejajozifidom.weebly.com/uploads/1/3/0/7/130775998/8cc9912b.pdf
- https://nojarotawufa.weebly.com/uploads/1/3/4/3/134313922/2050765.pdf
- https://deximuxinudob.weebly.com/uploads/1/3/0/7/130739142/nafedolaxamoniziru.pdf
- https://xozanazefozi.weebly.com/uploads/1/3/0/8/130874019/481ff0e182d.pdf
- https://dizasufe.weebly.com/uploads/1/3/4/6/134680143/4767467.pdf
- https://zisafidavilux.weebly.com/uploads/1/3/2/8/132814196/5962122.pdf
- https://vafebukuwu.weebly.com/uploads/1/3/1/1/131163563/42d315.pdf
- https://felepakupanemof.weebly.com/uploads/1/3/4/4/134473623/muwafelusezenalaman.pdf
- https://cdn-cms.f-static.net/uploads/4374963/normal_600baf9fe6e44.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/7262cde9-8175-4355-91d4-a563a7664db9/how_to_replace_dryer_timer_knob.pdf
- https://uploads.strikinglycdn.com/files/fc8d3295-f7c6-4c7b-aca4-c39a8288f0ee/50964148261.pdf
- https://uploads.strikinglycdn.com/files/fbc905f3-12a0-4b8f-9c2f-782ef638a702/tubanuje.pdf
- https://uploads.strikinglycdn.com/files/0ac8e3d6-0677-4903-87ef-75a9eb660f9d/in_the_heights_release_date_nz.pdf
- https://uploads.strikinglycdn.com/files/3e9f81f6-1bb8-4d1c-93d5-35f4dd8b9b40/wibej.pdf
- https://uploads.strikinglycdn.com/files/36f19ff0-1f1b-4174-bade-4962df6c4db2/zumeditivarewida.pdf
- https://uploads.strikinglycdn.com/files/bd82efdb-bbf4-455d-a2d2-0c0e7897d8f8/bubebinafemamerabun.pdf
- https://uploads.strikinglycdn.com/files/bc1146ee-8487-4fe4-96f9-b7b37435867e/95168606195.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f534.bin` `d37a296de93134cd1db020de1e321906ce45623ec2e7fd61cbf8df54554e5b6b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF534	5344 bytes
`font_01_sfnt_off00010751.bin` `3920f27d51b8114feb728dfe8e4b8324436d728c79cc327706bbdbdd68be1218`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10751	5532 bytes
`font_02_sfnt_off00011a4c.bin` `2cbfb03424b6c80ac9e9d6e671d59dff1aad264c15e22bf7d999786fb32c1155`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11A4C	12800 bytes
`font_03_sfnt_off000144a9.bin` `44b8022c2a84fec3dc397bc3814882f0590d3d8e5f69667e83b3bad4a88aeee6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x144A9	16208 bytes
`font_04_sfnt_off000159e9.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x159E9	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.