PDF malware analysis — malicious · b8faf281802c8811

MALICIOUS

PDF

85.4 KB Created: 2021-03-28 10:38:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25

MD5: 1e5cb7f99fd4ae4c61281d8a019a8b8c SHA-1: 95828517664f56b232528bdd28cf8f0bdc987595 SHA-256: b8faf281802c8811ef838107f45e201072bdf10d5b47f61fbb887216fdaa308d

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a significant number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The primary URL, 'https://maypoin.ru/wix?keyword=mhw+pandora%2527s+arena+not+showing+up', appears to be a lure for search engine traffic, likely to redirect users to further malicious content or phishing pages.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://maypoin.ru/wix?keyword=mhw+pandora%2527s+arena+not+showing+up PDF link annotation
- https://cdn.sqhk.co/vixonafom/cgjiigg/burnout_masters_money_glitch.pdfIn PDF document text
- https://sorozodosunew.weebly.com/uploads/1/3/1/3/131381031/6f3801.pdfIn PDF document text
- https://cdn.sqhk.co/dofubetu/njdufhb/ravefijalutalapijufibor.pdfIn PDF document text
- https://cdn.sqhk.co/zitibidino/aji6ps1/all_star_sports_resort_map.pdfIn PDF document text
- https://cdn.sqhk.co/firataxoworo/ibgcxjh/visigiwaxilesazakufilofu.pdfIn PDF document text
- http://tiwilofojifig.sportsontheweb.net/capitalization_and_punctuation_practice_4th_grade.pdfIn PDF document text
- https://nixodogal.weebly.com/uploads/1/3/0/7/130739919/pazadetozeze_zurumon.pdfIn PDF document text
- https://cdn.sqhk.co/novigigexuxo/gegeifv/42041412061.pdfIn PDF document text
- https://cdn.sqhk.co/sowanigog/ghuWgiP/remote_control_battery_led_string_lights.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://1b53f64c-3596-40ff-86ea-95cec8902569.filesusr.com/ugd/838e7e_cac66901d4d849fa862ce2e7b272139e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/9baafaa2-6d57-49e0-98bd-ddaf5ab64ff0/how_to_use_mr_coffee_dehydrator.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d00add22-4dde-44ce-bfd8-84ced12e73e4/is_adjudication_the_same_as_arbitration.pdfIn PDF document text
- http://zozupajekuledus.myartsonline.com/23912361491.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d258b26a-6be0-4555-9644-3ac305ca494f/rovilanumukojob.pdfIn PDF document text
- https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_c067eb7b98b642a185ee81877e5de94c.pdf?index=trueIn PDF document text
- https://76a725e8-946c-4ae9-9249-cda469d35108.filesusr.com/ugd/83c8cc_dbb74a8c47474eaaa59cadf97bb9b373.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0dcb753f-c531-4aea-b965-a4a9c545d1b2/bonifeverire.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f9e7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF9E7	3536 bytes
SHA-256: `75ed4ce2339df79b89f23052aa6746de5b2dfc6d19482609efd9a8cfb9407fa0`
`font_01_sfnt_off00010664.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10664	5320 bytes
SHA-256: `f22079acbe013db5b53f732bae7a660a9f42b402f7040aa471e0fbebb21e74d8`
`font_02_sfnt_off0001189b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1189B	15628 bytes
SHA-256: `0a2ee39fc55ca35955c490ae867041589196f767e9e0e1126c1cd8835055b964`

Open this report in the interactive analyzer, or submit your own file for analysis.