PDF malware analysis — malicious · de21cac06de98d97

MALICIOUS

PDF

82.2 KB Created: 2021-09-11 00:08:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 4b71d040785e92e41621074a147c7587 SHA-1: ddb6d929ffe4661139b3b2716ccddc259fb68a1f SHA-256: de21cac06de98d978064ac1c829a5bab6e379c73d22ee71d281294bc75d57a34

246 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics as malicious, including an ML classifier and specific rules for advance-fee scams and payment redirection lures. It contains numerous links to external PDFs hosted on disposable domains, suggesting a phishing or fraud attempt. The ClamAV detection further supports its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9833

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://hv2barrier.com/application/third_party/ckfinder/userfiles/files/boruzivivanezutiw.pdf
- http://dogalakustik.com/depo/sayfaresim/file/19698974822.pdf
- https://www.artikel238.nl/emmwebbit/resources/ckfinder/userfiles/files/retomalu.pdf
- http://westernstudioservice.com/admin/userfiles/file/70507803000.pdf
- http://beloezoloto.ru/userfiles/file/94319665098.pdf
- https://ewdel.cz/ckfinder/userfiles/files/fupibomowejejizimu.pdf
- http://fkm-lux.by/var/upload/file/funonavupiramarogutonax.pdf
- https://baruipur.org/ckfinder/userfiles/files/fudoxunakotozanosi.pdf
- https://cliniquemyo.com/userfiles/file/11352089152.pdf
- https://jogamiskolc.hu/ckfinder/userfiles/files/xofulimowunugifazagiku.pdf
- https://childrencareandliteracysociety.org/userfiles/files/fejinoluwosub.pdf
- http://tehla.eu/userfiles/file/93884665241.pdf
- http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/161387314e23dc---pedizukukazir.pdf
- https://adium.ru/userfiles/file/83963787801.pdf
- https://drinkpoint.com/uploads/files/wulav.pdf
- http://emusicmarket.com/upfile/board/files/21139585422.pdf
- https://camphacement.vn/upload/files/madobazor.pdf
- https://zaindu.drogomedia.com/files/galeria/files/vatutafidujazopegajewof.pdf
- http://westpakusa.com/phpsites/vertical_living/uploads/file/37120369540.pdf
- https://blugarden.eu/file/43317688629.pdf
- http://gazomotor.com/allinone/file/zopupafewamev.pdf
- http://iphysiology.ru/upload/jotizovolasikuxulix.pdf
- https://mar3ol.com/Files/files/23121205474.pdf
- http://eventologia.com/userfiles/files/davofitoxijaduf.pdf
- https://ahl2005.com/ckfinder/userfiles/files/gogipemojodoxobitojizaguf.pdf
- http://traktor-tv.de/sites/default/files/file/rozodewegitivasaforenuxov.pdf
- https://djecijagarderoba.me/userfiles/file/12094184851.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=scan+lottery+tickets+android
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000db28.bin` `c24fbac9abcf7a459d9c7d7db6a4501c0a7a532d63e2ccb635afdbc77d56e506`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDB28	18076 bytes
`font_01_sfnt_off00010a94.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10A94	16792 bytes
`font_02_sfnt_off000122ab.bin` `6e7d539463eb44e0325630f699226ea182c2a78ed81357b94d857ee21d1f0b61`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x122AB	10644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.