PDF malware analysis — malicious · b1bc9c925fe683d6

MALICIOUS

PDF

82.4 KB Created: 2021-03-28 06:51:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 070a11e94ecdbc15ac4139648f1a067a SHA-1: 6700f9407ec5d06f7394dc5852f2e55e514da767 SHA-256: b1bc9c925fe683d61138ec2463a3b00a0e116bc9a0db0304c59bbbfa6f668acd

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a link farm designed to redirect users to potentially malicious websites, as indicated by multiple heuristics and a high ML classifier score. The presence of a 'Password-protected archive lure' heuristic suggests an attempt to disguise a malicious payload. While no scripts were directly extracted, the PDF structure and embedded URLs point towards a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/123?utm_term=avast+security+mac
- https://tezefuvin.weebly.com/uploads/1/3/4/4/134496048/gunisudu_nijetomifidil_dewax.pdf
- https://xirunokud.weebly.com/uploads/1/3/4/4/134467368/modutaser-vagux-risuli-jibujikap.pdf
- http://pipvip.ru/the_heart_of_darkness_movie_free_downloadq14h1.pdf
- http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
- https://cdn.sqhk.co/wadelovelo/Pjfjejb/12884441371.pdf
- https://mogoxolokelitaf.weebly.com/uploads/1/3/4/6/134645696/296cb.pdf
- http://reduslim-officialsite.site/easy_voice_recorder_for_android_freel0ati.pdf
- http://pek-24.cc/gone_til_november_lil_wayne_reviewswsio2.pdf
- https://cdn.sqhk.co/fosuzonarefi/aBhfghU/osu_biometric_health_screening_form.pdf
- http://matrixbicycles.com/un_decimetro_cuantos_centimetros_tienevlh6f.pdf
- http://nakanilo.club/51923875498q4dte.pdf
- https://fuwupizur.weebly.com/uploads/1/3/5/3/135390256/zoxax.pdf
- https://menajogatidufe.weebly.com/uploads/1/3/0/7/130740573/pukexozinuwuraj.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://d451e762-8e00-4155-9971-9512d28d2528.filesusr.com/ugd/b52961_f5273604cd3043949ec38abc037d2407.pdf?index=true
- https://s3.amazonaws.com/mibiwivanetuj/writing_numbers_in_expanded_exponential_form_worksheets.pdf
- https://s3.amazonaws.com/voropa/zatikafijodovurugiziwe.pdf
- https://s3.amazonaws.com/jejulurowev/6983624883.pdf
- https://8dcf3d85-40eb-4350-b789-ae6ac2c46e24.filesusr.com/ugd/21d17a_62b5a42685bc45afa7b61cbd3e1cb3a1.pdf?index=true
- https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_61baa623be084b8d8a0a3c602345f0f0.pdf?index=true
- https://s3.amazonaws.com/zazelujeju/1544682062.pdf
- https://s3.amazonaws.com/rorives/emerging_risks_report.pdf
- https://89511c73-251b-4bee-a1a5-5f4bd4863124.filesusr.com/ugd/f24cb8_d12541e3cc4c4ffc80c5791260fbbc81.pdf?index=true
- https://141ebdc9-a3c9-4c6d-b8f9-366dbf139dec.filesusr.com/ugd/46bfb0_86d0ea7d0d1c43968ba048e109d13dca.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f655.bin` `e1e7b690ddc5fbd9cb91a58d6ab79c5b84cc8c134497f4cc6992b5537f477d59`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF655	4732 bytes
`font_01_sfnt_off0001066d.bin` `2be6e861a6e985d710a621becb4888f0cfae05ded1cd3d3e3882ce2dfe8043fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1066D	12436 bytes
`font_02_sfnt_off00012e49.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12E49	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.