PDF malware analysis — malicious · c1948ac5bf346dd1

MALICIOUS

PDF

92.2 KB Created: 2021-03-28 01:21:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: f9e114a0805887ece45d075d1a72294f SHA-1: 6a4b64a1ee11407e6d75cf2c03578b8f9fa2fbfa SHA-256: c1948ac5bf346dd1e45d119ae09ad78f0e677c6e461a142802f1a655a5641611

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by both ML classification and ClamAV, specifically as a phishing trojan. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The document body, though heavily obfuscated, appears to be a lure related to 'keto bread recipes', likely to entice users to click on the embedded malicious URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/award?keyword=keto+bread+recipe+pdf PDF link annotation
- https://cdn.sqhk.co/sovokeduseb/apjdshf/huey_lewis_sports.pdfIn PDF document text
- http://atomyimperial.ru/paduvajumuxud9yny.pdfIn PDF document text
- http://hocostyle.ru/el_seor_de_las_moscas_resea_cortalxm7k.pdfIn PDF document text
- https://cdn.sqhk.co/pojimisuso/hcjagfR/microban_24_sanitizing_spray_sds.pdfIn PDF document text
- https://cdn.sqhk.co/kegufamop/miauhiE/67735678406.pdfIn PDF document text
- http://gatorama.fun/how_to_write_good_copy4j2et.pdfIn PDF document text
- http://gedadekenoz.mywebcommunity.org/mejunobeda.pdfIn PDF document text
- http://fanisore.sportsontheweb.net/51462852356.pdfIn PDF document text
- https://cdn.sqhk.co/bipadifudame/gjyievi/kalagalifabupuwopokir.pdfIn PDF document text
- https://cdn.sqhk.co/gepumenujeme/I4pjgs6/tank_1990_battle_city_hack_nes_download.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3a599a69-88d0-4a66-9e03-8c229ff990c5/73720276856.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/993c4325-ff00-47fe-8a58-60e81dc3e970/lilipufugeperikuwurixixo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50a5e407-3446-41b7-954b-374e29855ffe/72630625415.pdfIn PDF document text
- https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_53e38ffeb4dc4878888b0b8668ea8ee4.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/fe329554-324d-4637-ab32-c4a20a0e0f1e/beretta_m9a3_holster_blackhawk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9a5f4e68-ada9-4cfc-b69e-d3da989d23d6/urban_tantra_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccf7452b-3696-46e5-a3b6-370593b4f187/vukevitijikaxozeda.pdfIn PDF document text
- https://4a1fbaa0-0e67-401b-a466-96699e2e5642.filesusr.com/ugd/9647bf_e3c559e1ba1d40219687da77910a27d4.pdf?index=trueIn PDF document text
- https://1ba6f066-89d4-4445-b8a9-08a6de046ef2.filesusr.com/ugd/d40554_33e4a114996b43b796432a368dd4f7e7.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c2476c13-676e-4062-b19a-6411044d5519/jivubefenivujatufemejozi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000129d4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x129D4	5048 bytes
SHA-256: `d365fa8c0de70f4386f6328bb62e985fe66e80bbfb33ad5348c2828e9ce34b70`
`font_01_sfnt_off00013b10.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13B10	11980 bytes
SHA-256: `6b71984f6da54975e7a522727d473fcc9ad93962a0a80cd7a2ac1c26da4c5a09`

Open this report in the interactive analyzer, or submit your own file for analysis.