PDF malware analysis — malicious · d43a1c3f0622fd19

MALICIOUS

PDF

76.9 KB Created: 2021-05-29 06:55:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10

MD5: 9ed3a2cd3209b53886973f1c678ba9a7 SHA-1: c7511200d936cabcfd30e5fe0806647eccea8a0a SHA-256: d43a1c3f0622fd1960e69232a4536c0e4fddc5d39591a08bec4bcbb94f278795

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a critical heuristic indicating it's part of a PDF link farm. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect users to malicious content. The document body, though heavily obfuscated, suggests a lure related to 'Aflatoxinas en leche pdf', aligning with phishing or spam tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/123?utm_term=aflatoxinas+en+leche+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4374708/normal_6029edd11b2d0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4445118/normal_6052da16dc202.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4445570/normal_60329c2981382.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4497658/normal_603d8d88e5b70.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4481291/normal_5fee4b5f9a31d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379380/normal_605cd4c72cc8d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367947/normal_6037d1ae4bd69.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4493876/normal_60559bf94edaf.pdfIn PDF document text
- https://neritakewu.weebly.com/uploads/1/3/1/8/131856632/dezekavutenajup.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416144/normal_603b67cac189d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404488/normal_604985f97e782.pdfIn PDF document text
- https://nujunilotup.weebly.com/uploads/1/3/4/6/134642651/bf954.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4381085/normal_60647c592522d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4479236/normal_602bdf8abbe60.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450037/normal_6062a351d4094.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453532/normal_6052b7a083fc9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4497658/normal_5ff9a5bf70db2.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/420cca9c-fca8-4673-a989-3e29b9fa469f/87560771999.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/13cace5c-e3f0-4086-8572-2d0dc67c34a1/xedajopikeb.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29a731a9-aa8b-4eb3-a589-d2592efbb42e/casio_g-shock_gwg-1000-1aer_mudmaster.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/539f330c-ea49-4764-bcbd-19d72fbe377c/fowuj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df453abb-8491-4ed6-9016-6b137ef8f9ca/pedinibiwubaguzozupogugof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0d702da7-ac74-45f4-a96e-00c3031d8afa/soundarya_lahari_sloka_20_lyrics_in_tamil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/24fa3c55-99bb-41fc-b042-ae308ad7c7d9/lexus_rx_350l_review_2018.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/96b5eb0a-7ab5-4f88-9db5-0411513ec17c/how_do_i_download_microsoft_office_2010_and_install_windows_10.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ef22.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEF22	5204 bytes
SHA-256: `7e454c183bfbfb2f552db09b73428163070eecac35532bc690d23fbe50942394`
`font_01_sfnt_off000100e0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100E0	11360 bytes
SHA-256: `8a29d62f0055262ff234b5983897934548d56aedec045ca07d588fe2263707ca`

Open this report in the interactive analyzer, or submit your own file for analysis.