PDF malware analysis — malicious · d1965abed79b4e6a

MALICIOUS

PDF

68.6 KB Created: 2021-06-08 17:24:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1d00467b4ead95299ef22ffe6e4a056b SHA-1: 5708bf20661f422f4b90862aea5d05307edd58c7 SHA-256: d1965abed79b4e6a11886429cb4ff7f417a01ba9d008a565405db4e2d52f15e0

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, many of which point to other PDF files. This behavior is indicative of a link farm or a method to distribute malicious content. The ClamAV detection and ML classifier further support its malicious nature, suggesting it's a phishing or trojan delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.8381

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ketchas.ru/wb?keyword=twilight%20saga%20new%20moon%20full%20movie%20download
- https://nigelatadumave.weebly.com/uploads/1/3/4/6/134615228/b0183f5824d8300.pdf
- https://dopupuwupexiro.weebly.com/uploads/1/3/0/8/130813117/0df284f1fe.pdf
- https://xiliwawegumokap.weebly.com/uploads/1/3/4/0/134096460/c10050.pdf
- https://static.s123-cdn-static.com/uploads/4501027/normal_5fee721ea0966.pdf
- https://nukusiluvo.weebly.com/uploads/1/3/4/6/134612364/8493645.pdf
- https://titanukudolilip.weebly.com/uploads/1/3/6/0/136082060/880c7f682.pdf
- https://cdn-cms.f-static.net/uploads/4407991/normal_606a7dd850748.pdf
- https://static.s123-cdn-static.com/uploads/4370989/normal_5fd08876a7bd6.pdf
- https://geneferazudim.weebly.com/uploads/1/3/4/3/134362459/6881093.pdf
- https://kodabovoxalomas.weebly.com/uploads/1/3/5/3/135340354/jokaguxikim_sukanamurasegux.pdf
- https://xomowapiwaliv.weebly.com/uploads/1/3/4/0/134000086/127ca6529.pdf
- https://cdn-cms.f-static.net/uploads/4417308/normal_5fe78b4ca3769.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/629d4a82-ff22-4d1e-83ba-e69c38a76cb6/72281560149.pdf
- https://uploads.strikinglycdn.com/files/af8b2864-c97c-4b5a-9495-743375c898e8/suzavi.pdf
- https://uploads.strikinglycdn.com/files/ab9fe451-3734-4915-92f1-26fb79804a18/17824344718.pdf
- https://uploads.strikinglycdn.com/files/8ce8b96c-8b48-446f-90a5-4f40c2078f8e/safotitufixolofujunaluba.pdf
- https://uploads.strikinglycdn.com/files/228211c3-09e5-453b-bd6b-e0464a6ed946/79261085303.pdf
- https://uploads.strikinglycdn.com/files/70c27775-2109-4798-9006-724f5d9f446b/manebuxufivosiz.pdf
- https://uploads.strikinglycdn.com/files/ccc2a7d1-d394-47c9-a7ee-a8c49631d587/how_to_know_where_to_shade_when_graphing_2_inequalities.pdf
- https://uploads.strikinglycdn.com/files/e3e452ee-3402-43ea-99d9-bd66c42b28cb/braun_digital_ear_thermometer_manual.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ea26.bin` `95b417004feac9f79433efa493fd00ecb047809040608ccdfde51f20c32fadb1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA26	5328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.