PDF malware analysis — malicious · bf3c1cdb44c973e3

MALICIOUS

PDF

72.8 KB Created: 2021-06-11 07:19:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: a2c5f9e35e103ecb46b43688e6cef857 SHA-1: 65205166e11cf93ace240cc462d600f9ef992f7e SHA-256: bf3c1cdb44c973e3e3c9c92045fd91ec965380cc0c43eccde5bac295ee118526

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, many of which are hosted on disposable domains, suggesting a link farm or phishing operation. The ClamAV detection and ML classifier strongly indicate malicious intent, likely to redirect users to a malicious site for further exploitation or credential harvesting. No scripts were extracted, but the PDF structure and URL patterns are indicative of a phishing lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://allytemp.ru/pbw?utm_term=warhammer+40k+8th+edition+rules PDF link annotation
- https://cdn-cms.f-static.net/uploads/4402711/normal_606a3770753b5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4378155/normal_5fc6b37cacbd3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4404503/normal_5fd045bb42fca.pdfIn PDF document text
- https://tuvunexe.weebly.com/uploads/1/3/4/3/134327091/botuzemebi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425514/normal_60bedbf834177.pdfIn PDF document text
- https://manovofaripoluf.weebly.com/uploads/1/3/1/4/131453531/6138.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4368478/normal_60b4bba4a8c1d.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4366327/normal_60b4c34394e26.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490725/normal_6026624f633dd.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4449402/normal_6002c1314618c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483855/normal_604751e2ba55c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370078/normal_6039d9a1c9543.pdfIn PDF document text
- https://xijuwubime.weebly.com/uploads/1/3/4/2/134234920/2429285.pdfIn PDF document text
- https://balalowomave.weebly.com/uploads/1/3/0/7/130738893/lizexoxabofozibup.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/43dc7352-37bf-4cc6-8319-6d680a61b69f/fikevotojewadi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/276adb49-d44d-4482-9b3b-4753d7628174/puronitokipanewim.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/18a357e5-3d94-4d32-8701-c67fb8234bfa/robin_hood_card_customer_service.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e898c079-431a-4e12-9127-f8b991845c46/24568328349.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c8ea460e-55c7-4221-bd72-c4d274aa2017/sesebewezuvu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b6906d1f-8904-498b-a795-9e9c90f8fb4d/dijalorep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b834b5a4-bf22-4469-8f20-545bbd7b5ff4/33593317747.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000def0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDEF0	5564 bytes
SHA-256: `bde4f1bf51840e2d75d8567080012720d87f0568ce623c7a3615c407b50ad5e7`
`font_01_sfnt_off0000f1bf.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF1BF	10556 bytes
SHA-256: `8ab24a4fec3806f74ad50c679e7f1eae6140ab2fd205429fd67b1dd8cb10d3d3`

Open this report in the interactive analyzer, or submit your own file for analysis.