PDF malware analysis — malicious · cda8a2d2e0246ab0

MALICIOUS

PDF

128.2 KB Created: 2021-03-22 14:57:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 669faaa4d8879ef2a7633483c4c80bef SHA-1: 7a5db39196e65839aa9b7efd8ca08d90f8f8b07a SHA-256: cda8a2d2e0246ab07a9cb736807c6df191ab0b3f1ec4a1b3b0a924c0c648a957

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits multiple indicators of malicious intent, including a large number of external links, some of which are part of a link farm, and a high ML classification score. The presence of a 'password-protected archive handoff' lure suggests an attempt to bypass security controls. While no scripts were directly extracted, the PDF structure and embedded links point towards a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/wix?keyword=environmental+science+chapter+18+concept+review+answers
- https://cdn.sqhk.co/wemopizajazo/hjgiiaO/geometry_dash_lite_levels.pdf
- http://lnstagramlivesupportcenter.com/26811585218latta.pdf
- https://berizekaxijaj.weebly.com/uploads/1/3/4/5/134501449/7624034.pdf
- https://cdn.sqhk.co/wafudovop/2jfXicG/vikings_spin_off_series_valhalla.pdf
- http://quickstore.pro/21926068721hlvux.pdf
- https://duxudalo.weebly.com/uploads/1/3/4/8/134866109/8036528.pdf
- https://bebopajuze.weebly.com/uploads/1/3/5/3/135312866/zugariresemib-wukiwulufubowid.pdf
- https://cdn.sqhk.co/rifarako/jcoiahc/clouds_movie_trailer_disney.pdf
- https://xolovimuwoza.weebly.com/uploads/1/3/4/8/134865524/mafela.pdf
- https://taxufutusa.weebly.com/uploads/1/3/4/5/134514166/80faf4a4.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fedorahosted.org/lohit
- https://504b7f7c-d27d-4f2b-a6eb-e8dc7cf660cf.filesusr.com/ugd/6ba015_b3ea6164e57948919cb10dfdb93dac00.pdf?index=true
- https://uploads.strikinglycdn.com/files/5cdc72f3-a2bb-497a-94d0-782407ad1327/resufezuvijexewob.pdf
- https://uploads.strikinglycdn.com/files/5a513e43-45ff-4ffa-981f-4cd6548e5ff8/how_do_you_play_mini_dv_tapes.pdf
- https://a5fc3680-5c08-4cda-bd6c-abaa3bdf25bc.filesusr.com/ugd/ea5d7b_1d5b0b95c0c344a8a7ca130463b190b9.pdf?index=true
- https://uploads.strikinglycdn.com/files/b108c82e-aa67-4aa8-aa6e-dea8aa2c9a7e/2892261514.pdf
- https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_9f57130a833349d1a68c626e879ef5de.pdf?index=true
- https://441dbedc-201a-49d7-bb2a-292980023e2b.filesusr.com/ugd/473728_598bb79d32a4445a84c71d332003715a.pdf?index=true
- https://591379ed-26d0-4405-baa7-5b8dadede013.filesusr.com/ugd/866ffa_88057454228f48b99e649b18307fa779.pdf?index=true
- https://c3373aeb-ed74-4f2d-b631-fa679e0a3f6f.filesusr.com/ugd/cbe7f7_76b6a392366741a2984d4d212f71143a.pdf?index=true
- https://uploads.strikinglycdn.com/files/73e3256c-8da9-4615-8519-bcdc421e7c0e/models_of_curriculum_evaluation_process.pdf
- https://8ca15cf9-c5bf-4329-906a-32df3c7b5ab7.filesusr.com/ugd/4ca7f5_16c7d1891637496980cca8edc0802b6d.pdf?index=true
- https://502f924d-676a-41b3-8220-87c01882f600.filesusr.com/ugd/5a20bb_56d063c4f8604009b0059dc36b447505.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00018a97.bin` `9403ff098ee72004de300e0e8849cc0adaed91e69d27da11b0f09be00e4ae972`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18A97	5528 bytes
`font_01_sfnt_off00019d52.bin` `3b57cb8609360c66eefbfbaa1f63a55564db0b0e7d1b16bfd341ad0072fc0a84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19D52	12912 bytes
`font_02_sfnt_off0001c93d.bin` `5b0d2701ab39d2f69c66d7d16c60d8db0b323aa0832947137e757b5401d27330`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1C93D	16060 bytes
`font_03_sfnt_off0001de11.bin` `ad11f3825e6537ddd0330d40bc68b34ad1519d51295555b1a106d234aa32fdd1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1DE11	4864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.