PDF malware analysis — malicious · bbb7f611fc303b9f

MALICIOUS

PDF

81.8 KB Created: 2021-05-12 07:36:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: 476f8bb7ef1e256cb6217cb570c1dea2 SHA-1: 10537d3f0198afe29948d66a102100922c92a345 SHA-256: bbb7f611fc303b9f3467fde3301c70f01e3f263a7f1412e73b3991f4335768f9

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external URIs, many hosted on disposable domains, suggesting a link farm designed to redirect users. The presence of a 'download button' heuristic further supports the lure-based attack pattern. While no scripts were explicitly extracted, the PDF structure and external links point towards a phishing attempt to trick users into downloading a malicious payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/strik?utm_term=premiere+pro+templates+free+modern+titles+pack PDF link annotation
- http://rrrrkkkkk.space/seruzikadalegek0az.pdfIn PDF document text
- http://delalikifavaru.iblogger.org/nozodesurosowumuwider.pdfIn PDF document text
- http://osthondroz.com/zuduparavufizudigiauyh.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fedavuv.epizy.com/design_integration_using_autodesk_revit_2020.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/475ce8f7-24e7-4283-9b3c-71212db519e2/betisitor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28b779e1-b449-4a9b-a3c6-aedad0890331/gumon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4f1e4d62-d677-4bf5-a91c-96c51a6d5340/13286461882.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce819b44-e17b-46c6-a79f-e3f98c53b240/guleterozegu.pdfIn PDF document text
- http://potubavaziripek.epizy.com/vijanewixap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a7c393a-a1dd-493d-a457-0e505e248a45/mazerixejifelura.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ab935b3-f434-48be-9ba3-6c7045818e9d/brittle_star_description.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/20807e5e-ce71-476e-8fd0-aafb516fd85d/samsung_grand_prime_plus_price_in_bangladesh.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d28581ab-d63c-4fe8-bc51-478a3e68b5b8/how_to_become_a_certified_trust_officer.pdfIn PDF document text
- http://vufigenetusanu.epizy.com/android_games_online_rpg.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/acc53703-060a-4e21-94ce-dd0eca743c81/kidde_firex_smoke_alarm_no_green_light.pdfIn PDF document text
- http://kunerev.epizy.com/office_depot_laminating_sheets_11x17.pdfIn PDF document text
- http://mezubivedoxida.epizy.com/wap_in_teri_meri_kahani.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/83794784-9cd2-45a3-8084-0fd4acce17c4/sifonedefelexawetupepi.pdfIn PDF document text
- http://poserub.rf.gd/kp_astrology_books_free.pdfIn PDF document text
- http://xerikosepekev.epizy.com/fugugumasizobexijiruwuze.pdfIn PDF document text
- http://venavabumekaj.epizy.com/63182997836.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010068.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10068	5368 bytes
SHA-256: `0a911edb2995f0fc31f03cfb762e693d2773af699a8dc0b72e476c3b0a04d3f2`
`font_01_sfnt_off00011290.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11290	10908 bytes
SHA-256: `2bb5c58b26b169e4c8b7a71d824c7321f0d1b536a08353d29dde6c13c44951de`

Open this report in the interactive analyzer, or submit your own file for analysis.