PDF malware analysis — malicious · e8abe808740fb760

MALICIOUS

PDF

76.4 KB Created: 2021-03-22 09:49:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: e53313ff25308c982096da4c41669cc9 SHA-1: dc185f4e8d707e3626a190bb6c426eae8ebe5f65 SHA-256: e8abe808740fb76026f8891ad30f20baed33a13cc694f35379f853c7beebd8e4

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by multiple heuristics and ClamAV as malicious, specifically as a phishing or trojan variant. It contains numerous embedded URLs pointing to disposable domains, suggesting a link farm or phishing lure. The document body, though heavily obfuscated, contains text related to 'driver camera d-link' and 'wkhtmltopdf', indicating a potential lure to download malicious software. The presence of many external URIs and the ML classifier output strongly support a malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xajibur.ru/strik?utm_term=driver+camera+d-link+dcs-932l PDF link annotation
- http://heleogose.online/audio-technica_professional_stereo_turntable_at-lp120-usb_reviewfki6j.pdfIn PDF document text
- http://copyrightsupportforlnstagram.com/bare_act_law_of_propertyk9ehm.pdfIn PDF document text
- http://tiktokfrance.fun/27934749284l17g7.pdfIn PDF document text
- http://xteenware.online/sanvito_pro_caption_font_freeqca6u.pdfIn PDF document text
- http://idealslimitaly-official.site/what_was_dr_martin_luther_king_jr_i_have_a_dream_speech_aboutezq13.pdfIn PDF document text
- http://siwosupegejolop.medianewsonline.com/benajamafuwegezizuxo.pdfIn PDF document text
- http://onlinesos.tech/bayesian_statistics_an_introduction_4th_editionudgfm.pdfIn PDF document text
- http://gelufose.scienceontheweb.net/xudipuxo.pdfIn PDF document text
- https://cdn.sqhk.co/buganisazobu/gU0hj4u/nice_guidelines_surgical_wound_management.pdfIn PDF document text
- https://cdn.sqhk.co/tororukiwuri/hdPheja/28052104150.pdfIn PDF document text
- http://dejepuzalew.mygamesonline.org/logic_games_practice_questions.pdfIn PDF document text
- http://ponemofetu.scienceontheweb.net/67808858783.pdfIn PDF document text
- http://bovewitavivebu.getenjoyment.net/romeo_and_juliet_notes_for_students.pdfIn PDF document text
- http://pitushok.fun/481091166931fgvc.pdfIn PDF document text
- https://cdn.sqhk.co/kevekelobivo/sthamjm/how_to_draw_baby_yoda_cute.pdfIn PDF document text
- http://8gusevshop.space/904836807924sqfb.pdfIn PDF document text
- https://cdn.sqhk.co/parabeset/2je0jgn/xidovo.pdfIn PDF document text
- http://walletelectrum.buzz/assignment_marks_form_aiouq0x53.pdfIn PDF document text
- http://flash-sar.online/423099615837wewi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b078cf3d-a536-4205-bab4-461bfe82a53b/olivetti_lettera_32_typewriter.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1fda0505-d5c2-4405-a6cd-6289eab39126/beniti.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e7528656-8580-42a5-a003-73ea80e10746/kenmore_canister_vacuum_cleaner_hose_replacement.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c329575f-289d-43ab-981e-c67c3a892362/74922947664.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e99c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE99C	5692 bytes
SHA-256: `cd6376dd66b57164a91e3b2ef43fd301ba90b28f423112c2d074462eccab69af`
`font_01_sfnt_off0000fcee.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFCEE	11072 bytes
SHA-256: `ee7afdf1bb5598bd4d8c473bc2790e3c118e035bf6bee7113ced35f191fb1673`

Open this report in the interactive analyzer, or submit your own file for analysis.