PDF malware analysis — malicious · ad67e73ac8d9a069

MALICIOUS

PDF

86.7 KB Created: 2021-03-10 02:45:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20

MD5: 693ea2fa669580bea4d67eda629b028b SHA-1: 7e891f4a305e06c4d6622ef2a728196a5ef1be09 SHA-256: ad67e73ac8d9a0695767fbcd92852766b09f6b2fe50efc0aeff24abfa008b2e6

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are hosted on disposable domains, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, appears to be a lure related to COVID-19 security talks. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or SEO manipulation.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://leonvi.ru/strik?utm_term=charlas+de+seguridad+contra+el+covid+19 PDF link annotation
- https://kavavori.weebly.com/uploads/1/3/4/0/134012315/9816581.pdfIn PDF document text
- https://marizezibafive.weebly.com/uploads/1/3/4/8/134865590/disinawimuj_nogetowitat_vinedekekub_bipidafo.pdfIn PDF document text
- https://gopelema.weebly.com/uploads/1/3/4/3/134314553/62a680.pdfIn PDF document text
- https://golizagizaziw.weebly.com/uploads/1/3/4/7/134701046/aeafc9a.pdfIn PDF document text
- https://nipetetoxijekuj.weebly.com/uploads/1/3/4/7/134718304/xijozozawux.pdfIn PDF document text
- http://ig-copyrightviolation.com/salems_lot_2004_reviewggmdt.pdfIn PDF document text
- https://dunelakanova.weebly.com/uploads/1/3/1/4/131410870/sijenorar_jekamik_kimifar_vurowakara.pdfIn PDF document text
- http://cparta.moscow/bubble_bobble_2_heroda88b.pdfIn PDF document text
- https://polalakenasi.weebly.com/uploads/1/3/0/8/130813885/7565506.pdfIn PDF document text
- http://hookup757.fun/wojesirusxcx.pdfIn PDF document text
- https://tulelamesesixe.weebly.com/uploads/1/3/5/3/135321102/sotegi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_c26cf1c4a7734296aab1ab84e1618c5d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/fcf545a8-61b9-4a05-9820-217e35c24173/61556415833.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fc85a781-d3c8-42cc-a1c6-58bd9c595f01/flir_tg165_price.pdfIn PDF document text
- https://5ac9d038-517d-4536-97f6-676423289421.filesusr.com/ugd/b444d4_b0ab10d123a54e3cbf3c5dfdc6d2aecb.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/9894d082-c519-4cbb-a780-12b1b894c1eb/chrome_flash_player_plugin_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/003265ec-ec9d-4111-b093-4233537b948b/white_tiger_netflix_storyline.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00545e3b-7fa9-4478-b7bd-c8b847af30c3/past_perfect_simple_tense_exercises_with_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e3f2b02-4fa6-4d57-a05e-a42513985f00/what_does_on_your_honor_mean.pdfIn PDF document text
- https://167c8e7b-8160-49a2-a88e-f26749d647c8.filesusr.com/ugd/1ad47d_5838cc863be64c4882a6ccbb85ce879e.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000112d3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x112D3	5376 bytes
SHA-256: `2b0e1316dae3e9a9822228625240d4a5ca5555bae966033a4fa48e492d1116ce`
`font_01_sfnt_off00012515.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12515	12336 bytes
SHA-256: `c1b277aa5aaeefe2778109c01083d434db6779962de7db289abe98a6232fe4dc`

Open this report in the interactive analyzer, or submit your own file for analysis.