PDF malware analysis — malicious · c79e69f6145bf6af

MALICIOUS

PDF

79.4 KB Created: 2021-05-10 23:20:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20

MD5: 7b4aaa6a661ea9da94bb2470eee823cb SHA-1: 26668f9f7bab7a4827861754d37fad1f413a8545 SHA-256: c79e69f6145bf6af84389d68f659973d2baf2a30fb765fbb2adc19c8d7b38404

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with at least one identified as a malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or to serve a second-stage payload. The document body is heavily obfuscated, but the presence of a URL related to 'wordpress admin login page not available' suggests a lure for credential harvesting.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://yafferge.ru/strik?utm_term=wordpress+admin+login+page+not+available In PDF document text
- http://kikawogax.iblogger.org/gujarat_samachar_today_newspaper_vadodara.pdfIn PDF document text
- https://cdn.sqhk.co/joduragenep/iajjAja/pajovolepodemitiwitu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4472506/normal_5fcb5bc3c7f8c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473938/normal_6012b2455b61a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457332/normal_60283f87c2b83.pdfIn PDF document text
- https://cdn.sqhk.co/peluxisomex/ojf2rii/how_to_make_your_knife_sharpener.pdfIn PDF document text
- http://vuzatiriranune.22web.org/ambient_noise_app_for_android.pdfIn PDF document text
- https://cdn.sqhk.co/wepiwuvume/jdb5sgc/hope_pictures_and_quotes.pdfIn PDF document text
- https://cdn.sqhk.co/tamoravuwera/giichjA/9120113114.pdfIn PDF document text
- https://cdn.sqhk.co/tuwodemo/opm3L6Z/chustar_k_3._0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426541/normal_601a1cc781f5b.pdfIn PDF document text
- http://vijufik.iblogger.org/aashiqui_2_movie_hd_1080p_free.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4393626/normal_5fdd9525c89b4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483365/normal_602d8ae1dc3ac.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/ce87d254-74d6-4ef1-b8f2-6fced7d5884c/intermatic_hb88rc_outdoor_timer_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4baa8e68-5d53-47ed-b3f1-31c04de956ca/dbt_fast_skills_video.pdfIn PDF document text
- http://puzejiruniri.rf.gd/49112399448.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0ff61c1c-b268-4183-9ecd-a3f7240bf896/yamaha_hs8_review_what_hi_fi.pdfIn PDF document text
- http://xajetizefo.rf.gd/duniros.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/87b70c91-989d-4f55-889d-65bb85335509/all_diary_wimpy_kid_books_in_order.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5085ffcb-88bb-4278-a095-78eca939feae/kukesawuko.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f7c0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF7C0	5492 bytes
SHA-256: `97c7646a7a8bd20e5ec43c3bfb0b659a4daf829748e4bd819455d8b7b5d61559`
`font_01_sfnt_off00010a65.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10A65	11116 bytes
SHA-256: `91e68714b13dd89d39eecd08d47775c8d52981032ac07221135e02be0326ed4b`

Open this report in the interactive analyzer, or submit your own file for analysis.