PDF malware analysis — malicious · d83a5109857c7b14

MALICIOUS

PDF

89.7 KB Created: 2021-09-24 08:25:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: 837b7a1b630bf8d7f21805eaf8cd148b SHA-1: d93bbc059bfaf88dcb75376b8b5aaae5207d13fe SHA-256: d83a5109857c7b14e051a0b7024a46fbcdb40a3d4ff52a7cd00c6085dcec56e8

74 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external URIs, indicating an attempt to redirect the user to malicious websites. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic specifically flags the document as a link farm on disposable hosting, suggesting a phishing or malware distribution scheme. The ML classifier also strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9970

Heuristics 5

Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://lica.plovdivweek.com/js/ckfinder/userfiles/files/serowuvodot.pdf In PDF document text
- https://xenang-mitsubishi.com/fckupload/file/dozomujudowenufabe.pdfIn PDF document text
- https://tekartltd.com/upload/files/mevofejurofos.pdfIn PDF document text
- http://client.diffuse.info/files/45431970769.pdfIn PDF document text
- https://mcgbaharat.com/userfiles/file/77474740934.pdfIn PDF document text
- http://pvvc.cz/files/81846874383.pdfIn PDF document text
- http://quangcongluc.com/upload/files/dafukuzila.pdfIn PDF document text
- http://elmiraclassiccountry.com/wp-content/plugins/super-forms/uploads/php/files/02f53df39e6ff09c0836c464300c563b/sabitoxudosisuzuxore.pdfIn PDF document text
- https://eltechma.com/zdjecia/fck/file/48742200009.pdfIn PDF document text
- https://icon-studios.com/userfiles/file/pedowu.pdfIn PDF document text
- https://forexinc.ca/upload/editor/file/zomidajedunuze.pdfIn PDF document text
- http://bjqyms.com/filespath/files/20210924084540.pdfIn PDF document text
- https://kungfuclasshongkong.com/louis/taichi/ckfinder/userfiles/files/49687097796.pdfIn PDF document text
- https://www.moxiclear.com.au/application/third_party/ckfinder/userfiles/files/26539517798.pdfIn PDF document text
- https://dafelia.com/files/79319943054.pdfIn PDF document text
- http://hillsdalehorseboarding.com/ckfinder/userfiles/files/13860707412.pdfIn PDF document text
- http://kawana.tech/userfiles/file/73607292366.pdfIn PDF document text
- http://giayviettri.com/img-ftec/files/tuxovazowejojiju.pdfIn PDF document text
- http://omnoiptv.com/outscapes/admin/ckeditor/uploads/ck/files/56946827278.pdfIn PDF document text
- https://websbag.com/uploads/files/69075609754.pdfIn PDF document text
- https://tucsonhomewindowtint.com/wp-content/plugins/super-forms/uploads/php/files/5f4a0c5a6f94066c253fd192f529c7c8/patubog.pdfIn PDF document text
- http://kasand.com/userfiles/radajalodi.pdfIn PDF document text
- http://tcsklife.com/filespath/files/20210903040920.pdfIn PDF document text
- http://www.look4job.gr/images/_user_na/file/dadabijenox.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=share+files+to+pc+from+androidPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f6de.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6DE	18924 bytes
SHA-256: `c1d7d0b178422e9f4164e83ff2cc98f00e21a2f05fe5cb52e629b1a5c765a4ea`
`font_01_sfnt_off000127a6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x127A6	10960 bytes
SHA-256: `d9f843c708702df897a69f77a13b5c27f3909ba3abfca5bf5a5980cc6823db25`
`font_02_sfnt_off000140d5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x140D5	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.