PDF malware analysis — malicious · d706ef8d0977a967

MALICIOUS

PDF

71.0 KB Created: 2021-06-08 23:55:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: ea91d56a4380f1ca67a59566fad6fadc SHA-1: 5a3c35f9eefab2f9aa0b81480fd2ea3c245213ab SHA-256: d706ef8d0977a9679bdb813431c38e01a7469eb62d05a0d10362476bc56c4b49

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to disposable hosting services, suggesting a link farm or SEO manipulation tactic. The document body is heavily obfuscated and appears to be corrupted, but the presence of external URIs and the PDF_SEO_LINK_FARM heuristic strongly indicate the intent to redirect users to potentially malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://huntic.ru/pbw?utm_term=act+ii+scene+iv+romeo+and+juliet PDF link annotation
- https://cdn-cms.f-static.net/uploads/4476127/normal_5fdaf6457e5d7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424662/normal_6031b18c5e456.pdfIn PDF document text
- https://bamopinusomuna.weebly.com/uploads/1/3/1/3/131379567/cdb528fb450d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368249/normal_5fce6ecb42306.pdfIn PDF document text
- https://dudafenerow.weebly.com/uploads/1/3/4/9/134900552/kurikimiviwese.pdfIn PDF document text
- https://zupitexugavasol.weebly.com/uploads/1/3/0/9/130969618/vakobojeg.pdfIn PDF document text
- https://samomalekadoj.weebly.com/uploads/1/3/1/4/131438786/a5fe374.pdfIn PDF document text
- https://dilaxizinis.weebly.com/uploads/1/3/5/9/135973905/6874718.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403533/normal_6013b46c938a2.pdfIn PDF document text
- https://tiritezolodimim.weebly.com/uploads/1/3/4/7/134743729/diris.pdfIn PDF document text
- https://batagokefo.weebly.com/uploads/1/3/1/0/131070859/1fd55af.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4387243/normal_60064f5200c5c.pdfIn PDF document text
- https://pelozaxuji.weebly.com/uploads/1/3/2/6/132680784/nepeg.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://kolasotosexu.pbworks.com/w/file/fetch/144793248/cat_c32_generator_weight.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e63f8478-f720-4c8b-8648-16ca2105a682/60174393592.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dee3b1b3-7334-46fa-8574-d87c2d3a0c53/cloud_9_origin.pdfIn PDF document text
- http://kigemulu.pbworks.com/f/viwoxozaser.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e3ea22aa-38a1-4eeb-a91b-a803c36547fb/zulunu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/533b7f4d-68ce-4dec-9693-bfa06268b9f4/2052858906.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8f65adc1-16ed-4150-b46a-8de8b5eed7c6/jawigererukusemo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000da7f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA7F	5208 bytes
SHA-256: `7167a5b4abc4a600e49744e18cdbf50003c55926991f2d8b168ec8fe855a9b02`
`font_01_sfnt_off0000ec27.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC27	10492 bytes
SHA-256: `49ce8bc5ed5ef8a3bbced3fa168dfe02a6b6815c6aa20413446956bf189c995b`

Open this report in the interactive analyzer, or submit your own file for analysis.