PDF malware analysis — malicious · c8431ebfb56febd0

MALICIOUS

PDF

78.7 KB Created: 2021-03-24 17:01:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 3c20eee9830c3a6dda59b4b414e661d3 SHA-1: 4f0ce7a17b92b6ac4a3f8f984fe94eba8b6cdb11 SHA-256: c8431ebfb56febd0db1948fcf24016f74a243a07928688a486be86541b5fb7e9

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing obfuscated text and a heuristic firing for PDF_URI indicating an external URI. The primary malicious indicator is the URL https://lozipotod.ru/123?utm_term=personality+meaning+and+nature+pdf, which is likely used to redirect users to a phishing or scam page. ClamAV also detected this file as Pdf.Phishing.Trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lozipotod.ru/123?utm_term=personality+meaning+and+nature+pdf PDF link annotation
- https://cdn.sqhk.co/wisivelu/u7eL1jc/laminate_sheet_cost.pdfIn PDF document text
- https://cdn.sqhk.co/vovewotutal/ieFggjd/cyberpunk_city_wallpaper_1920x1080.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411218/normal_6039713f28a29.pdfIn PDF document text
- https://cdn.sqhk.co/winogolelog/cgggggd/xovewenuxumeke.pdfIn PDF document text
- https://cdn.sqhk.co/metajewamiva/AU6Dgif/ritejati.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4481402/normal_5fe0692933fa7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368989/normal_6046da5fce232.pdfIn PDF document text
- https://cdn.sqhk.co/wifinalimow/nwhcgjc/96362985328.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://5b949be5-44ef-49af-96c7-0ebaa8fe632e.filesusr.com/ugd/3402b1_eb124a72c55b4979a3117ed6c986a739.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/sefiwegegagu/kafazokaninulipewasi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7ed420b7-f200-45ec-a04f-cec72b07fd1a/xarab.pdfIn PDF document text
- https://f3dbd103-cf2f-44fc-b0ad-c9004dc38af2.filesusr.com/ugd/1f2646_a4eb62aae48548a3a41a8a279921951f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/jenisozazewubo/72640116216.pdfIn PDF document text
- https://183df7f2-4185-4ca0-bfcc-33b39bc842f1.filesusr.com/ugd/9ac34a_999df6023f4644e7b0dc6a06bfd35684.pdf?index=trueIn PDF document text
- https://5a060084-92f5-4e09-b02e-bbac8bb45871.filesusr.com/ugd/05c943_00d48eb39498461eae3f2750d9fdfb58.pdf?index=trueIn PDF document text
- https://53002a68-e35f-4167-ac88-1ab9777d7e72.filesusr.com/ugd/f5bc2a_c9151acdc4484c94a8ce21630086b300.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/8db0e5ab-19f7-4e6f-b76d-0d1c0167808f/5244119833.pdfIn PDF document text
- https://6e6ad6c0-90f2-4367-a025-4e24aeda1d0e.filesusr.com/ugd/c9b7fc_86ed371808414802bc902ce3338c77bb.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/sivanira/descargar_splashtop_2_apk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be41c7c1-2e86-4b82-9b1e-6f636b95a93f/98358670735.pdfIn PDF document text
- https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_c88fbb912adf4e6c8a59958a13d2ab1d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0890c81d-187b-4e9c-9c5d-c58dd5f69065/how_many_hotels_can_you_get_in_monopoly.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/09d225d7-04ff-408f-b423-8c3485ed693e/79065560765.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f36d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF36D	5464 bytes
SHA-256: `6f91241db8ce63481750a893ed8fc9964e459e86f7a52709f93bdd38c0e62d8a`
`font_01_sfnt_off000105f9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x105F9	11048 bytes
SHA-256: `fc5b35cff0801517439e28be789fd0925e22b285aa9fc6b183d8053548f86662`

Open this report in the interactive analyzer, or submit your own file for analysis.