PDF malware analysis — malicious · db2a1eca259ab8b7

MALICIOUS

PDF

77.2 KB Created: 2021-04-02 03:31:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20

MD5: 76f3c38b0f44d762f434b1e9af38c800 SHA-1: cb15682a1467f482ee4d3bc4e9114769b7e32d00 SHA-256: db2a1eca259ab8b725f9dd817656cd0165c9ddfb89b2292c0a5c368bab3633e4

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm used for phishing or distributing further malware. The document body, though heavily obfuscated, appears to be a lure related to business plans, aiming to trick users into clicking these malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/award?keyword=business+plan+example+restaurant+pdf PDF link annotation
- https://cdn.sqhk.co/liwifetil/5jfLhhQ/zelawese.pdfIn PDF document text
- http://usersonlineguardingsettings.site/nunotapizuliserakog24ki.pdfIn PDF document text
- https://cdn.sqhk.co/nemoludajedu/XgegdSb/90574507475.pdfIn PDF document text
- http://lifeeuro.info/how_to_use_a_seamstress_sewing_machine_bobbinbtjos.pdfIn PDF document text
- https://wujojebexubab.weebly.com/uploads/1/3/1/3/131380870/wetij_nanuguketesuku_mufamujal.pdfIn PDF document text
- https://kimilofu.weebly.com/uploads/1/3/0/8/130873947/1636637.pdfIn PDF document text
- https://cdn.sqhk.co/muvetowiripa/UdqVtFl/39743066662.pdfIn PDF document text
- https://rigugoxa.weebly.com/uploads/1/3/0/7/130776225/8869111.pdfIn PDF document text
- https://cdn.sqhk.co/xuruwivagezu/jbjjbhf/girls_skins_for_minecraft.pdfIn PDF document text
- https://cdn.sqhk.co/sejixikerut/d5G4ham/glass_block_hopper_window_replacement.pdfIn PDF document text
- http://petersikdar.com/woboxutubexemiguxugobx759g.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://689a2394-1721-4ce0-b6f7-af9f1dc0d621.filesusr.com/ugd/0f5b72_ef09e3dca349484b811600428426f03e.pdf?index=trueIn PDF document text
- https://d54d55f4-8004-4613-9f19-7b96cbed0ae7.filesusr.com/ugd/ce4b32_708cb098ba8c490797748f03801b6ead.pdf?index=trueIn PDF document text
- https://3064a0a7-8496-4b95-be1e-56094aee372f.filesusr.com/ugd/0cf4b9_aeb5b4502bcd45eabf7e25072affaf36.pdf?index=trueIn PDF document text
- https://03f57db0-fbcf-46ec-8713-21b5992b8512.filesusr.com/ugd/455f95_da15b831d1d7489aa2b1f350f7fdf55e.pdf?index=trueIn PDF document text
- https://3eeb541e-75be-486c-a732-b1e279b2a932.filesusr.com/ugd/eaab1c_515cf03cc2e047d78e0d1d9fbc7784c9.pdf?index=trueIn PDF document text
- https://8a05da06-75fd-4b4b-8779-f7668a2fa4a0.filesusr.com/ugd/da32d9_d408e9d28d034c6282912cdb6658c26f.pdf?index=trueIn PDF document text
- https://2ae8fa2d-8b21-4cd7-bd94-b44763fb9b4d.filesusr.com/ugd/8e1ec7_faba8733c8504c24aae1df6eac090144.pdf?index=trueIn PDF document text
- https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_49ec5c5e9a3b484f9a572a21704c2f3e.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f159.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF159	5304 bytes
SHA-256: `ec336fd87bc62436da7bfe8ffb2ef1bfac4b727cd199c77f669aa10488666edb`
`font_01_sfnt_off00010356.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10356	10644 bytes
SHA-256: `65375ee778c7bf9c6d632613b6016de9c3b8ebc2848c22e1425d448e80671fee`

Open this report in the interactive analyzer, or submit your own file for analysis.