PDF malware analysis — malicious · bc8d90f1682e4686

MALICIOUS

PDF

82.2 KB Created: 2021-09-12 05:43:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16

MD5: e6db620b3db7ee432b8c5f7a5011e89a SHA-1: a806862ae0188efbe9cb659030a5acd61224d998 SHA-256: bc8d90f1682e46862a17992dbc723fc031b020a492f7a51e7e6993202e2a1841

146 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. The document contains a large number of embedded URLs, many of which point to disposable domains or are structured as link farms, suggesting a phishing or malware distribution attempt. While no scripts were explicitly extracted, the presence of numerous external links and the heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' strongly indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
QR-code redirect lure medium SE_QR_LURE

Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://2m-m.eu/userfiles/files/91270332386.pdf In PDF document text
- https://ichibaninfotech.com/ckfinder/userfiles/files/53009069017.pdfIn PDF document text
- http://fertilityupdates.com/userfiles/files/wupovejopagogi.pdfIn PDF document text
- http://creativeindustries.ru/uploads/userfiles/file/12073868030.pdfIn PDF document text
- https://ecpa.fr/uploaded/file/99530813641.pdfIn PDF document text
- http://cmtsport.com/pliki/61963004267.pdfIn PDF document text
- https://intrigantka.ru/images/userfiles/file/34414939753.pdfIn PDF document text
- https://www.abandassociates.com/ckfinder/userfiles/files/17323058715.pdfIn PDF document text
- https://flavio-tonon.it/public/file/32145984370.pdfIn PDF document text
- https://maria-galland.ru/files/file/48585540050.pdfIn PDF document text
- https://soechi.com/userfiles/file/26859364588.pdfIn PDF document text
- http://ngocminhcnc.com/demo_thietbimay_24_7/upload/files/fokatejuj.pdfIn PDF document text
- http://3gr-group-com.gbintl.com/ci/userfiles/files/sepoxubi.pdfIn PDF document text
- http://camel-republic.com/media/userfiles/files/jewamewokizoraranukab.pdfIn PDF document text
- https://ketex.com/trcgp/ckfinder/userfiles/files/47844887420.pdfIn PDF document text
- https://himalayanthailand.com/image/upload/File/bojujixumududob.pdfIn PDF document text
- https://oykufestivali.com/ckfinder/userfiles/files/vepukiserob.pdfIn PDF document text
- http://shceping.com/upFile/photos/2021-9/file/75551140232.pdfIn PDF document text
- http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1613bd3217a00a---xisilukusakenu.pdfIn PDF document text
- https://kakvkusno26.ru/wp-content/plugins/super-forms/uploads/php/files/0c65967427372931dcc4b43720790bd4/panepojevunaragu.pdfIn PDF document text
- http://mrpokedb.com/uploads/files/vobeke.pdfIn PDF document text
- http://contua.org/userfiles/file/18388113121.pdfIn PDF document text
- http://sgrappresentanze.eu/userfiles/files/67437267504.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/zMnd8XtcwSM/uplcv?utm_term=check+wifi+password+from+androidPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dc02.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDC02	10952 bytes
SHA-256: `02c7dcf1f5f14ff1df5d8fa3a26a0f7a4078ab1ee3ef705c8e7986729289440e`
`font_01_sfnt_off0000f54e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF54E	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00010d60.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10D60	17776 bytes
SHA-256: `fd564615ad27ee83d4a4088c780b48b7f0ef0126a54e5b4705760c00c9dd83ad`

Open this report in the interactive analyzer, or submit your own file for analysis.