PDF malware analysis — malicious · b4b3fb22667bf052

MALICIOUS

PDF

81.3 KB Created: 2021-09-19 08:04:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26

MD5: 9f2afa4f763c22589f0f220c1b140d84 SHA-1: 34fe24aa6cab82c7fcbc540fd4778206e213ab6b SHA-256: b4b3fb22667bf052cb4f6885e457b5f89acaa4d93ecfbef0f343b44410e0b09c

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous external URIs and is flagged as a link farm on disposable hosting, suggesting a phishing or malware distribution attempt. The embedded JavaScript stream and ML classifier further indicate malicious intent, likely to download a second-stage payload. ClamAV detection confirms this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.9985

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://archism.ru/uplcv?utm_term=cargo+transport+mod+apk PDF link annotation
- https://www.audioclinica.pt/wp-content/plugins/super-forms/uploads/php/files/hoccck8rq89tiv3grbtjub5knj/5853231891.pdfIn PDF document text
- http://krallarintavugu.com/upload/file/kadenuvodaxegesuruwefabit.pdfIn PDF document text
- http://plenaseguroseprevidencia.com/fotosempresa/files/jijumexagavax.pdfIn PDF document text
- http://perechen-jurnalov.ru/js/ckfinder/userfiles/files/jojusebiverunep.pdfIn PDF document text
- https://commonwealthsportsawards.com/userfiles/file/xoxisaripuxo.pdfIn PDF document text
- http://snnet.kr/board_pds/fckeditor/2021/09/file/volufineburizirodup.pdfIn PDF document text
- https://ganport.pl/userfiles/file/93364777965.pdfIn PDF document text
- https://tyeetomsfishing.com/userfiles/file/vixozitemotigagarefatemuv.pdfIn PDF document text
- https://ercrs.org/wp-content/plugins/super-forms/uploads/php/files/1au0l1gjqcqabk8kaf0iebtm3n/benosadofirodemujo.pdfIn PDF document text
- http://nebovsem.ru/app/webroot/files/files/66266268602.pdfIn PDF document text
- http://cosonhuath.com/hinhanh_fckeditor/file/woxasi.pdfIn PDF document text
- http://eiffelflowersquesnel.com/userfiles/file/gorijimenasasexesiturelok.pdfIn PDF document text
- http://kstarsmall.net/userfiles/file///narujawebokidapetox.pdfIn PDF document text
- https://value.ae/userfiles/file/kirixivanuduxitofepu.pdfIn PDF document text
- http://hexindechem.com/upload/files/12526767518.pdfIn PDF document text
- http://htk2.altrodesign.eu/ckfinder/userfiles/files/gifogiximemukelir.pdfIn PDF document text
- http://hfnhsw.com/upload/files/rumijirakik.pdfIn PDF document text
- http://www.kickcommerce.com/userfiles/file/38632657569.pdfIn PDF document text
- https://pcetravel.com/files/file/79861676371.pdfIn PDF document text
- http://www.polni.si/Images/files/lejinadejisid.pdfIn PDF document text
- http://mondoacquapiscine.com/userfiles/files/95369838418.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d7db.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD7DB	10588 bytes
SHA-256: `7c0f7f8ba2c73975e749f425735010086200d2293f4459936f1ae9ed1497a25c`
`font_01_sfnt_off0000efd3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFD3	18456 bytes
SHA-256: `cbbe2579f7d92828baecbdb672235e5325bdf216f6b830e03976465667988ba4`
`font_02_sfnt_off00011f64.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11F64	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.