PDF malware analysis — malicious · a78c072eb04d91fd

MALICIOUS

PDF

76.2 KB Created: 2021-03-09 19:25:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-07

MD5: 11fa13d20677f89c1a3afeba8a2b45b3 SHA-1: b23862cc5109ae881b4cb17ace474347f2f3502c SHA-256: a78c072eb04d91fde3cd506848dcb47ad21bbdd093aeca9c0996b61f38b321d8

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many hosted on disposable domains, indicative of a link farm or SEO manipulation tactic. ClamAV and ML classifiers identified this file as malicious, specifically as a phishing or trojan PDF. The presence of numerous external links suggests a potential distribution mechanism for further malicious content or phishing attempts.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pelibifir.ru/award?keyword=patofisiologi+blighted+ovum+pdf PDF link annotation
- https://cdn.sqhk.co/pevizopubok/B1gcjeK/bob_the_robber_4_season_3_japan.pdfIn PDF document text
- https://cdn.sqhk.co/mivoteloxip/6lvjhVG/27140927438.pdfIn PDF document text
- https://fujovufizopi.weebly.com/uploads/1/3/2/7/132710671/c4b0955f.pdfIn PDF document text
- https://cdn.sqhk.co/fuluzagile/6Gurjj2/67324863502.pdfIn PDF document text
- https://fadagesaxe.weebly.com/uploads/1/3/4/5/134587500/xawuruxemakowik.pdfIn PDF document text
- https://livubefelamujir.weebly.com/uploads/1/3/4/8/134899239/4a7738d34f52.pdfIn PDF document text
- https://cdn.sqhk.co/xevowuto/WFDiagj/fitness_point_llc_reviews.pdfIn PDF document text
- https://cdn.sqhk.co/senosekagoko/qigVijL/delujofebesevasus.pdfIn PDF document text
- https://cdn.sqhk.co/komifugu/djpgg59/wizeti.pdfIn PDF document text
- https://ponegibafuzixi.weebly.com/uploads/1/3/1/4/131406662/sogub.pdfIn PDF document text
- https://pifupiwotuz.weebly.com/uploads/1/3/1/3/131384694/dusetolizi.pdfIn PDF document text
- https://cdn.sqhk.co/dezorevukor/ifhfMia/giant_inflatable_water_slides_for_sale_cheap.pdfIn PDF document text
- https://cdn.sqhk.co/gabisolovima/jbXgcie/megan_thee_stallion_shooting_why.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://puviwozizasi.rf.gd/21084963831.pdfIn PDF document text
- http://kanisal.epizy.com/fevisusanuxezakobizanina.pdfIn PDF document text
- http://borinalujid.epizy.com/wozikidotewosimirexu.pdfIn PDF document text
- http://gataluxogawix.epizy.com/riwasatumesozigazonab.pdfIn PDF document text
- https://68358877-4ee6-4e53-94f7-4bd9665c1f53.filesusr.com/ugd/3bbd68_53d5a617d99c4749a987ef9182057ff4.pdf?index=trueIn PDF document text
- http://jixetumoxefa.epizy.com/android_games_cracked_apk.pdfIn PDF document text
- https://08c3cc13-1ce0-4add-927e-a3aed263473e.filesusr.com/ugd/ccf397_1efdf1697ed14858a4ae18693f424812.pdf?index=trueIn PDF document text
- https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_47d2379ad61b415180569c18c12f46d9.pdf?index=trueIn PDF document text
- https://c0b8f06b-4e98-4d3d-89ef-2f08caba629a.filesusr.com/ugd/0c8cc8_c74d9a02d942496f871a01b161f39a17.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ed54.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED54	5560 bytes
SHA-256: `200e7e5d31bf6b68fb380e277386be1dd031c82ce27aa27f754d32c8169f7b5c`
`font_01_sfnt_off00010021.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10021	10368 bytes
SHA-256: `f386294a6015e0c1bfee363293a1721c596df77455046eadf190fe5370bb4c11`

Open this report in the interactive analyzer, or submit your own file for analysis.