PDF malware analysis — malicious · e6e903aab303c94d

MALICIOUS

PDF

78.3 KB Created: 2021-03-08 11:54:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07

MD5: 961f4110b850a4cbd50c18c558e2761a SHA-1: 41f00081c369ece38fe6880a6a0eb45db3896f5d SHA-256: e6e903aab303c94d1afd8ea6f7efd878eef3bb42317c8ca1348c639661027a54

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many pointing to disposable domains, suggesting a link farm designed to redirect users. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a high likelihood of malicious intent through deceptive redirection.

Machine Learning

Nyx PDF Classifier malicious score 0.9957

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://golowaki.ru/wix?keyword=an+introduction+to+metabolism+answers PDF link annotation
- https://static.s123-cdn-static.com/uploads/4413363/normal_6006161c167a9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370777/normal_5fd2cc3584e64.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4483624/normal_5ff8737c7b0d6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4376601/normal_5ffad7a14b65d.pdfIn PDF document text
- http://subejewumo.scienceontheweb.net/20865176621.pdfIn PDF document text
- http://rozewevojalel.sportsontheweb.net/fiches_orthographe_cm2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495387/normal_5fe6c447d4d75.pdfIn PDF document text
- http://sevoxotedeki.medianewsonline.com/learn_english_app_for_windows_windows_10_free_download.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4412894/normal_6003fe23c23ec.pdfIn PDF document text
- http://jokojujut.medianewsonline.com/can_i_use_a_dunkin_donuts_gift_card_online.pdfIn PDF document text
- http://vobefoli.iblogger.org/zolomabebogazepamof.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4458413/normal_6045e369981eb.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4471704/normal_6003865062666.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374371/normal_602e3734a5f41.pdfIn PDF document text
- http://vijexibat.mywebcommunity.org/58332741523.pdfIn PDF document text
- http://savulepuxesin.22web.org/pizofavidiwij.pdfIn PDF document text
- http://sakivometo.medianewsonline.com/ganuselevofaset.pdfIn PDF document text
- http://mosenub.22web.org/begoduvikobadorujuwedepo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/vapite/joomla_travel_blog_template.pdfIn PDF document text
- https://s3.amazonaws.com/xokebore/2004_subaru_outback_h6_3.0_problems.pdfIn PDF document text
- http://faleferesevo.onlinewebshop.net/wutukijovajefebimoruteg.pdfIn PDF document text
- http://negavutagogo.epizy.com/firatamagamuremexotuzifo.pdfIn PDF document text
- https://s3.amazonaws.com/medaliwifufugel/dashes_and_hyphens_worksheet_ks2.pdfIn PDF document text
- https://s3.amazonaws.com/befafuni/1818838593.pdfIn PDF document text
- http://pezamax.myartsonline.com/lizuxolapivetana.pdfIn PDF document text
- http://tofezaniv.rf.gd/basel_ii_summary.pdfIn PDF document text
- https://s3.amazonaws.com/zizene/25699583825.pdfIn PDF document text
- http://niwimugosaz.onlinewebshop.net/fidulofobodilogazep.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f370.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF370	5304 bytes
SHA-256: `a06a64cf86f50700efc5071625e5cfc2666c82eeb52d988b91510dc3fe8e1439`
`font_01_sfnt_off0001056c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1056C	10980 bytes
SHA-256: `267386196b290afacfbc527ab1ff0e6f3f1fa4477669efea215eaaaaedc0d187`

Open this report in the interactive analyzer, or submit your own file for analysis.