PDF malware analysis — malicious · c4c1f725561374ea

MALICIOUS

PDF

100.0 KB Created: 2021-03-13 16:20:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: db908ca219413fe086ee8cf20140a561 SHA-1: 2d8516bcf94c1f5bd4d9cde0203068781f4134a6 SHA-256: c4c1f725561374ea38636cd75a995ced3cc45afa23e4b9da25d0c300740c313c

166 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of an advance-fee scam. The PDF contains numerous external URIs, including one pointing to a link farm on disposable hosting, suggesting an attempt to redirect users to malicious content. While no scripts were explicitly extracted, the PDF structure and heuristic firings strongly indicate a phishing or scam attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9988

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/wix?keyword=engineering+analysis+with+solidworks+simulation+2014+pdf+download
- http://maretexojud.66ghz.com/marketing_internship_report_sample.pdf
- https://static.s123-cdn-static.com/uploads/4504568/normal_5fc831d2b406b.pdf
- https://static.s123-cdn-static.com/uploads/4376599/normal_5ffdb47480f05.pdf
- https://static.s123-cdn-static.com/uploads/4413707/normal_5ff3c3c4073f1.pdf
- https://cdn-cms.f-static.net/uploads/4527164/normal_60263170d707e.pdf
- http://mojuluxemo.22web.org/73918997272.pdf
- http://penageli.getenjoyment.net/does_p90_build_muscle.pdf
- https://cdn-cms.f-static.net/uploads/4484993/normal_5fe7d172864ac.pdf
- http://bumawusuka.mypressonline.com/what_micro_sd_card_for_samsung_tablet.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/12b176e8-4705-4792-ad44-d6f236dbb60f/zixonosara.pdf
- https://2e81f42f-67f9-46a9-89e2-a5f3ab3b03ee.filesusr.com/ugd/f138f5_f2ce08e533274a36bb558d7a3d8ac914.pdf?index=true
- http://tewufadab.epizy.com/biofilm_formation_of_bacteria.pdf
- https://ef733714-782c-48ea-8991-1bc0bf0c95f2.filesusr.com/ugd/ad2ade_261cce706e9d4ba99e66818dee709cb2.pdf?index=true
- https://uploads.strikinglycdn.com/files/88d91847-2793-4b6a-9276-47ced21779ac/carry_on_wayward_son_supernatural_finale_version.pdf
- https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_5193a263363142efbd7f74031053d6ed.pdf?index=true
- http://pidodexogejax.myartsonline.com/1967_mustang_brochure.pdf
- http://kovudefimure.rf.gd/what_shall_i_name_my_dog_quiz.pdf
- https://uploads.strikinglycdn.com/files/acf8ecc9-47a3-40fc-bfb0-fdbeaa013bf7/widemekamitapu.pdf
- https://9539e3d7-93ad-434a-85ac-22bd9bdb82bb.filesusr.com/ugd/df7b34_a1d1654ffb0e4265af97974763d78ffb.pdf?index=true
- https://968bac2e-1409-45a7-bd11-2c37eba47390.filesusr.com/ugd/c81504_dca3042456c844f49f9a0051ecf44ac8.pdf?index=true
- http://xobofob.rf.gd/newitipukavanubujeniz.pdf
- https://29474179-7c7c-44ae-84e0-3c37792f2e25.filesusr.com/ugd/7f817d_0024a3832374401b88b1ba932c2c8e59.pdf?index=true
- https://6998e30b-c911-4113-ab34-4c15204891c7.filesusr.com/ugd/429b25_6a2d02809d2b48a2955daa45ca322fa3.pdf?index=true
- https://uploads.strikinglycdn.com/files/95f3984a-109d-44cd-89c9-330f2c8fca3b/rosa_parks_political_cartoon.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001377c.bin` `d70e5a8d54d5e6c948552d1d8280d6072521838c2fd246789ac1d48cc516dc36`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1377C	5968 bytes
`font_01_sfnt_off00014bc0.bin` `9146f943309b1e08bb08dd8d79baaca02c6460afeca5fea86adf69164c37d3e5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14BC0	11996 bytes
`font_02_sfnt_off000173b2.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x173B2	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.