PDF malware analysis — malicious · aa2d792c289ead99

MALICIOUS

PDF

77.3 KB Created: 2021-05-27 18:35:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25

MD5: 089ddac71033835def5afa2dd52b63e6 SHA-1: 72e80f7546b005fa86abe17604cce2282cf7b1d0 SHA-256: aa2d792c289ead998d9f331cd931a8b644a76ee180ecb43dab76f2f17ab03cbf

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, directing users to numerous external URLs, one of which is `https://bologen.ru/strik?utm_term=golden+boot+race+2021+list`. This behavior suggests an attempt to drive traffic for phishing or to distribute further malicious content. No scripts were extracted, but the PDF structure itself is indicative of a malicious lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bologen.ru/strik?utm_term=golden+boot+race+2021+list PDF link annotation
- https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/gukikixenamoxe_pedepegejera_dabuzi_luwux.pdfIn PDF document text
- https://fabofosozani.weebly.com/uploads/1/3/4/8/134870462/guxolal.pdfIn PDF document text
- https://nubapatis.weebly.com/uploads/1/3/4/0/134095887/644f7a7.pdfIn PDF document text
- https://dametubidino.weebly.com/uploads/1/3/1/3/131383661/6f681536c217e8.pdfIn PDF document text
- https://kuxivudu.weebly.com/uploads/1/3/0/8/130813582/8314c187.pdfIn PDF document text
- https://gilepinewuje.weebly.com/uploads/1/3/4/0/134096317/gizakonusaka.pdfIn PDF document text
- https://lokuzovitopoz.weebly.com/uploads/1/3/4/8/134871506/nekemamopefi.pdfIn PDF document text
- https://pimupaxepa.weebly.com/uploads/1/3/1/8/131857198/didinuxevurexe_suzofesuvapo_fizinidegubaz.pdfIn PDF document text
- https://koximewi.weebly.com/uploads/1/3/0/7/130775363/42972.pdfIn PDF document text
- https://raguloduw.weebly.com/uploads/1/3/4/0/134041620/gakesevefu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/9a855afa-46b8-4177-a2de-3740d26eebc4/is_a_lateral_move_worth_it.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dbaec2a3-3a93-42a3-9f58-2503b00aa167/wordly_wise_3000_book_6_lesson_3_answer_key.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/95821675-be90-4862-b614-b3ee534e34ac/59815890006.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c3eee949-b68e-449b-b30f-639a71cd50e0/xajudabekag.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0b7c7fd0-3b2a-4516-a32e-558b01e4c4f1/3809070515.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e561335d-be62-450a-abca-e49ad26efffd/wupaduzufabof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/edbac8c3-6af6-4694-95b7-3a9b0ca08886/bukogepuvedef.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80c252b7-a884-4599-9870-c0bd4b657b65/intermec_pm4i_admin_password.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f051.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF051	5432 bytes
SHA-256: `88c4f77547b11bc186fa2deda84901b4fd88e3fce572dc4706b954027545f8af`
`font_01_sfnt_off000102d4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x102D4	11088 bytes
SHA-256: `e03ebe2a5020c0681c266b912ba2c828edff305b757485896614e4e05eaa570b`

Open this report in the interactive analyzer, or submit your own file for analysis.