PDF malware analysis — malicious · ac24cd54d0815dfe

MALICIOUS

PDF

98.9 KB Created: 2021-04-06 19:34:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fded9141472f40fad0e3e70884c23bf7 SHA-1: 6f5667e58fe5cf4262a1dfe2d11faef10cef9233 SHA-256: ac24cd54d0815dfe91b7b26f7c249767cbaecc721c59f38b4d5145e6a67948f6

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. Notably, it includes a 'Clipboard command execution lure', instructing the user to copy and paste content into a shell, which is a common technique for executing malicious commands.

Machine Learning

Nyx PDF Classifier malicious score 0.9987

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dafemum.ru/123?utm_term=best+battery+monitor+android+xda
- https://wadaletabuj.weebly.com/uploads/1/3/2/6/132695896/ad4a394235d4a.pdf
- http://temezisabekazev.iblogger.org/essential_dutch_grammar_henry_stern_download.pdf
- http://diguwejilevaz.22web.org/gezibotoge.pdf
- https://jitifawe.weebly.com/uploads/1/3/5/3/135327084/479822.pdf
- https://mitukuruzatag.weebly.com/uploads/1/3/5/3/135346955/didigexufo-tetad.pdf
- https://lijemokuw.weebly.com/uploads/1/3/4/8/134853622/sorabava.pdf
- http://vegavos.22web.org/mejewarepekagolabew.pdf
- http://kolunikikirade.22web.org/mcgill_gpa_scale_arts.pdf
- http://kegujusotuk.iblogger.org/gallery_template_free_html.pdf
- https://ruzuxopamekegi.weebly.com/uploads/1/3/4/7/134748505/2479.pdf
- http://fakoxipedobuk.22web.org/kanuboze.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://2d2b1dae-c014-4902-97e6-c3f1d56915cd.filesusr.com/ugd/70e5f7_9373d072d72741a5a3d47d9f7a6b0fa3.pdf?index=true
- https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_cc10aa6df03941cbb3ad3811734a5af9.pdf?index=true
- http://redebalumu.rf.gd/8900356265.pdf
- https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_ffff8250c92f43a9b8e46613f6b85085.pdf?index=true
- http://xudadadof.epizy.com/bard_job_guide_ffxiv.pdf
- https://s3.amazonaws.com/xapidajovaji/who_is_netflix_girlboss_based_on.pdf
- https://s3.amazonaws.com/gazitif/autumn_leaves_classical_guitar_sheet_music.pdf
- http://wemitagokodunes.epizy.com/53208655933.pdf
- http://zokazote.rf.gd/zojekolowa.pdf
- https://52f9d6e5-2fd5-4906-a030-4d12f703b62a.filesusr.com/ugd/297ecd_2bd22a0ce6ee48c0aa61b7c05eeb8ddc.pdf?index=true
- https://006b50d4-ad2a-4261-8279-34542eb0d7b0.filesusr.com/ugd/a640e9_79768278e23940d5b7b8c620e7ab90bb.pdf?index=true
- https://s3.amazonaws.com/zidosozawok/61644496397.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001261e.bin` `89bd4d64331dac9dbf5b1f87ba96b5433164e6b4b969417fa7b3663a4ae712a8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1261E	5300 bytes
`font_01_sfnt_off00013815.bin` `1f8c4a3720a45a9407510f45bf3aa168882d06aa65c133c73a0778ce9b07fb40`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13815	11792 bytes
`font_02_sfnt_off0001609b.bin` `addf13d45867078d367ff40abc77e8096be8b9307c21152b1e312940b696087e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1609B	18604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.