PDF malware analysis — malicious · e2b864f978b7d397

MALICIOUS

PDF

83.1 KB Created: 2021-04-15 11:08:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21

MD5: ae9f3e1f699305b0143ee2586b72f943 SHA-1: a2154a60079be0fe9f3de4178ce2cbb4b51793e9 SHA-256: e2b864f978b7d3970a559402645e852b186b96f27fbfa498b6d4e81befd2b940

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains numerous external URIs, with a high concentration on disposable hosting, indicating a link farm designed to obscure the ultimate destination. One prominent URL, https://druttle.ru/strik?utm_term=mr+coffee+coffee+maker+12+cup+walmart, is likely the primary lure. No scripts were extracted, but the PDF structure and heuristic firings suggest a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://druttle.ru/strik?utm_term=mr+coffee+coffee+maker+12+cup+walmart PDF link annotation
- https://cdn-cms.f-static.net/uploads/4390095/normal_605c20213a585.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4391623/normal_600e0a23af9e9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4465147/normal_5fee2544d97e6.pdfIn PDF document text
- http://dsv-trening.ru/xopirezowibupaxetuta988yp.pdfIn PDF document text
- http://kolaxowivod.22web.org/xokipomuliwaxuzojuses.pdfIn PDF document text
- http://reliables.ru/wayne_dalton_garage_door_repair_raleigh_ncug2p0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388627/normal_606e7a0a370cf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418590/normal_6025197da632a.pdfIn PDF document text
- http://bizbize-yeteriz.org/pafugawasufenuwtkp.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372378/normal_602438bd27d68.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369179/normal_60494212c3547.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368468/normal_605db84ea0969.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417049/normal_5fd78b63e99eb.pdfIn PDF document text
- http://hookup750.website/71177377496faul6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/948bf506-9b8d-47d6-931e-b98cf29e74ca/advanced_dungeons_and_dragons_character_generator.pdfIn PDF document text
- http://litezopufesox.epizy.com/boomerang_mughaiyazhi_hd_video_song.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0238a4a8-e77a-45a9-b861-6c34a6040ebc/86628439488.pdfIn PDF document text
- http://jogisav.epizy.com/android_studio_jdk_7.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ae8a65d-36a4-4f01-a03c-e47192023955/is_the_tropic_of_capricorn_hot_or_cold.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7a0d10e4-ee89-4438-897a-5555b6153d1e/nakijumasikuzuf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/20ab68b8-6976-46b3-8ad4-d1943ff51b18/amazon_uk_the_expanse_books.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0bfb593a-fe1c-43fb-a9bb-9fbb7ac5ef05/harry_potter_quiz_patronus.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000108f4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x108F4	5328 bytes
SHA-256: `c7c9fb97231782fee297d6730e8443c0bc280823843b55ec576f036714d5ca65`
`font_01_sfnt_off00011b29.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11B29	10680 bytes
SHA-256: `fc1cde8ff4520d58cccffdfab36f2c15eb1712a65e33cc37ba55239beafdeaa1`

Open this report in the interactive analyzer, or submit your own file for analysis.