PDF malware analysis — malicious · c51e6a8712a1bf1b

MALICIOUS

PDF

79.5 KB Created: 2021-03-15 01:31:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5c4fd058f180e7e08864c32a614542ed SHA-1: 969979484380ba1e90dda57f0582eef8d6513cc1 SHA-256: c51e6a8712a1bf1b3edcc4bfcb88b4fdc9e6b5309a35817c2444cb4067cfae78

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many pointing to Weebly and Strikingly domains, suggesting a link farm or phishing operation. The heuristic 'PDF_SEO_LINK_FARM' and the presence of URLs like 'druttle.ru' indicate a malicious intent to redirect users to potentially harmful sites. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious classification.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/wix?keyword=high+school+story+apk+mob
- https://dutizadip.weebly.com/uploads/1/3/4/8/134889078/bamavisarina_davokelagila_somanofopuv_vikalorawifire.pdf
- https://tarutugiwom.weebly.com/uploads/1/3/5/3/135326066/7324243.pdf
- https://wogalipa.weebly.com/uploads/1/3/4/3/134316604/nekapexevuz.pdf
- https://juvarefuj.weebly.com/uploads/1/3/1/3/131398009/98a547.pdf
- https://rukupapafi.weebly.com/uploads/1/3/0/7/130739745/lubabefebeta-rewejoxo.pdf
- https://xufodikufidu.weebly.com/uploads/1/3/5/3/135382923/lewonifezujowog_zufanuzevixo_gugadibenos_gizopexuxikijas.pdf
- https://nipoxumafoji.weebly.com/uploads/1/3/4/7/134717148/febebe.pdf
- https://kafedujewerom.weebly.com/uploads/1/3/4/6/134622586/7727628.pdf
- https://jerefukixuludew.weebly.com/uploads/1/3/4/6/134686450/jawazeruz.pdf
- https://pidofuvu.weebly.com/uploads/1/3/0/7/130739764/8924732.pdf
- https://parimuxuroz.weebly.com/uploads/1/3/2/6/132682994/zokasofixawuved.pdf
- https://xomitemekebok.weebly.com/uploads/1/3/4/8/134881854/tewowepu.pdf
- https://motefeka.weebly.com/uploads/1/3/4/1/134108707/6495966.pdf
- https://lilepixot.weebly.com/uploads/1/3/4/4/134462463/xukovex_ximux_koxemuwu.pdf
- https://fopepusev.weebly.com/uploads/1/3/1/3/131383694/5207588.pdf
- https://wavujosivisero.weebly.com/uploads/1/3/2/7/132740585/4094484.pdf
- https://uploads.strikinglyc
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/8a7fa63a-5f77-4c32-92f5-a6d46c455a40/why_does_windows_powershell_pop_up_on_startup.pdf
- https://uploads.strikinglycdn.com/files/97e47331-c20d-420a-9d27-a4401ec4f408/vizewo.pdf
- https://7a48fde5-f9d1-4ce4-84a2-8b156d245d18.filesusr.com/ugd/8127dd_6ba5e1a227df42d8b52727bcb60a4b61.pdf?index=true
- https://aefbb2f1-1cfc-4a48-aab2-d72547d84173.filesusr.com/ugd/2f3ac6_6ca496890703422e992be260e409b888.pdf?index=true
- https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_0f1b6ba40a2b4ba7b3d881094005e31d.pdf?index=true
- https://uploads.strikinglycdn.com/files/3614c3e6-5039-4bc7-b0ed-caa3921d0ea1/what_can_be_done_about_parental_alienation_in_texas.pdf
- https://37976aa0-f55f-47d3-847a-8d185b13ebf6.filesusr.com/ugd/1d6212_0ddf738774d144d3a1cb0ea951a7751b.pdf?index=true
- https://uploads.strikinglycdn.com/files/08f9abf7-1492-45e1-b541-34caa04a485f/lalubanizowegep.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ebe0.bin` `330f232d1cd611465d2f4d8197a552011b0d0e82aaa525969b04e0384d32229a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEBE0	5180 bytes
`font_01_sfnt_off0000fd7a.bin` `a865f25c65748e53fb392ed257da6bd08e20d9ca41b19462b8be2ee2c483d5b1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD7A	10784 bytes
`font_02_sfnt_off00012277.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12277	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.