PDF malware analysis — malicious · ddf0868a448dfdc8

MALICIOUS

PDF

111.5 KB Created: 2021-06-14 12:25:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: cd99f20acabe80b8d69b767665563d9d SHA-1: 3eb8fbcd7fc37912567d23ec3999ae8564149692 SHA-256: ddf0868a448dfdc83ee9697f3f904463c411a52f94cd8f6f844a6c13a63ae83f

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external URLs, with one specifically linked to a search query about 'moobs', suggesting a lure to a potentially malicious site. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' further supports the idea of a link farm designed for malicious redirection.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crewmak.ru/pbw?utm_term=how+do+you+get+rid+of+moobs PDF link annotation
- https://xerotopofuwega.weebly.com/uploads/1/3/1/4/131406930/reburigunemiriso.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4369494/normal_60b218f282954.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4485579/normal_600415337d33c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502248/normal_602f5f224b8f2.pdfIn PDF document text
- https://makesagesuli.weebly.com/uploads/1/3/0/7/130740055/167fcb09d95457.pdfIn PDF document text
- https://kegozorud.weebly.com/uploads/1/3/0/7/130740561/juwux.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4391302/normal_5fc733c89a9b7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450043/normal_60bcdc9fdb79d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4418993/normal_5ff096e21c721.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4405430/normal_5fe005c5b4a05.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4491673/normal_603217d568e51.pdfIn PDF document text
- https://rexuxoxef.weebly.com/uploads/1/3/4/0/134018301/wefumagijelekobifos.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481166/normal_60143596d27b4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://saxonax.pbworks.com/w/file/fetch/144680550/verbos_terminados_en_sh_ch_x_ss_en_ingles.pdfIn PDF document text
- http://pitavumiza.pbworks.com/f/3ds_max_animation.pdfIn PDF document text
- http://niwomif.pbworks.com/f/43969569839.pdfIn PDF document text
- http://xojifot.pbworks.com/f/tijopawanup.pdfIn PDF document text
- http://fokopaviwu.pbworks.com/f/203646958.pdfIn PDF document text
- http://fufitan.pbworks.com/w/file/fetch/144557949/47724974962.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb6341e4-2edf-4ffd-866e-18a6479d15c0/tobamuzodaju.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/66341325-cef5-42ad-af09-21d555d0d74a/engineering_thermodynamics_mcq_with_answers.pdfIn PDF document text
- http://zeladejan.pbworks.com/w/file/fetch/145283589/90412719061.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0a5615bf-6428-449e-91e9-c4fbb2ef75bb/tuvedona.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b44c1a0-fce9-4a66-a75b-69f4726d4476/zekaf.pdfIn PDF document text
- http://xuwajesorewo.pbworks.com/f/top_video_maker_app_android.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000173e4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x173E4	5280 bytes
SHA-256: `a0e035636b83ef87b433285ec0cbb386b1b472924d38851179f4fd127286d37b`
`font_01_sfnt_off000185dc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x185DC	12804 bytes
SHA-256: `c62f5f5de608a04bb7b6c9528236985edbe47e7cdf9fdc5233a8222add6ed17e`

Open this report in the interactive analyzer, or submit your own file for analysis.