PDF malware analysis — malicious · da8d330e732dc224

MALICIOUS

PDF

75.4 KB Created: 2021-04-02 10:32:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20

MD5: 5c4a61e33923b8e16bd9ccd7abc47938 SHA-1: c19c3346bc5718aa6112e877195844b10604a720 SHA-256: da8d330e732dc22401c4180fea56b94770a11d1c96ae94df5b4d657ca3092124

230 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple heuristics indicating malicious redirector links and a link farm, with ClamAV detecting it as Pdf.Phishing.Trojan. The primary lure appears to be a fake download for "Camtasia studio for mac", directing users to the malicious URL https://crophysi.ru/123?utm_term=camtasia+studio++for+mac. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
SEO-redirector lure link (multi-word utm_term) low PDF_SEO_UTM_REDIRECTOR_LINK

PDF contains a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the search-keyword gateway used by the 'free document download' phishing family. Surfaced as an IOC; on its own this is a low-confidence signal.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crophysi.ru/123?utm_term=camtasia+studio++for+mac In PDF document text
- https://static.s123-cdn-static.com/uploads/4451348/normal_5fdff4bf22735.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4394061/normal_5ffa6c80ec3d4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404113/normal_5fd9bf57c479f.pdfIn PDF document text
- http://sodaapp.pro/what_is_agile_methodology_in_simple_wordsct9ke.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4491432/normal_603693a6580c7.pdfIn PDF document text
- https://cdn.sqhk.co/foxoxaze/cijgiLQ/76176780975.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378836/normal_5fe8c9522b93e.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4367648/normal_5fdd5a4db2673.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374838/normal_6066bf694201b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379736/normal_5fec3df8c727b.pdfIn PDF document text
- https://cdn.sqhk.co/fatepotax/XicgdJf/lokavasolejinedemogif.pdfIn PDF document text
- http://smartcreditscore.info/giwogesepalupebunip6b7l.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373240/normal_60154d53577ef.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4495257/normal_60078e838fef1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446924/normal_6025f29a87dff.pdfIn PDF document text
- https://cdn.sqhk.co/zisujidixa/hdiovhY/rolling_stones_logo_origin.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4453732/normal_60004a049e429.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_7dd9f54ed18f4621a8deb00528a103a8.pdf?index=trueIn PDF document text
- https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_0da094ec8cce4c7e9891e29b2027643d.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ea7a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA7A	5040 bytes
SHA-256: `0ecc6479cef738a6057673ecf5d7764992bf842e9ef04af3314d4fb61bd5ea56`
`font_01_sfnt_off0000fb87.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB87	10960 bytes
SHA-256: `3aef535edc06419e3701de77ceac0f8755a6d4676c4287a0c812d600ed2617a5`

Open this report in the interactive analyzer, or submit your own file for analysis.