PDF malware analysis — malicious · e934576a3a33b20a

MALICIOUS

PDF

85.0 KB Created: 2021-04-03 12:48:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16

MD5: 4d6a9d440d807d2fd794c16d91918751 SHA-1: d9852293b40ad3f8bb78e254f1e46600bf3c8f04 SHA-256: e934576a3a33b20a8ac10962336dffce0bf8f5ade72203d03a4680363b076038

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The ML classifier strongly indicates maliciousness. While no scripts were directly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jacksth.ru/award?keyword=la+cambiale+di+matrimonio+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4417220/normal_605ef88ed9f9c.pdfIn PDF document text
- https://cdn.sqhk.co/pugudanirav/oxthcgd/friend_search_tool_apk_2020.pdfIn PDF document text
- https://cdn.sqhk.co/jorisuzil/dA0gcgc/mezug.pdfIn PDF document text
- http://brosbass.com/wumugekkgi3w.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4502268/normal_5fcb3ffe2cfeb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489599/normal_5fd32d175e553.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368759/normal_5feb78d97af56.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476002/normal_5ff7e550dd09c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453579/normal_5fe91c74f2e65.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414334/normal_605f71bbc6f1a.pdfIn PDF document text
- http://wwwbcpzonasegura-viabcp.com/68161979844ih9fe.pdfIn PDF document text
- https://cdn.sqhk.co/sogunixe/jddjcqM/46967291101.pdfIn PDF document text
- http://in-step.shop/ac_dc_transformer_diagramtxbfe.pdfIn PDF document text
- http://lotto-investclub.com/oregon_dmv_cdl_audio_manualcmu7j.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://f5f74d4f-f804-4d9b-9bfa-9964b2756261.filesusr.com/ugd/e389b3_824f2f2cebcc448599843ca3ddeffedd.pdf?index=trueIn PDF document text
- https://c09438b0-f1cf-4ade-afa2-d322e048c450.filesusr.com/ugd/313cc6_e9f5e6020a6c4da6a797ba4093c8fbad.pdf?index=trueIn PDF document text
- https://d75bbb92-b0e4-4b50-83e6-2443e695523b.filesusr.com/ugd/bc73b9_945723d90339480fac3e63bb7892dd2e.pdf?index=trueIn PDF document text
- https://c1d61d78-9bae-425c-b347-ee91470fe4f1.filesusr.com/ugd/60933b_5fa3fbdd2cc64e9baaff6478dfeee04d.pdf?index=trueIn PDF document text
- https://95c758d6-fd33-43c6-b5d0-f1f55e07e946.filesusr.com/ugd/cb0188_78d5acf795ed48dd8c4462c2f0b9ddd6.pdf?index=trueIn PDF document text
- https://1c437d0a-cccb-4a8a-93f1-39e0b5126915.filesusr.com/ugd/b91566_72193333f74c4868a2fa123f53cb87e5.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f8a6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF8A6	5204 bytes
SHA-256: `2d273275fc644cc95b1c3d0ae3eca1fec3460f86491157590bef1d1f22e1b5a7`
`font_01_sfnt_off00010a3f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10A3F	11720 bytes
SHA-256: `6e6b736f7af34b45e2192aa4e8e56d6b13358c4587ec4968949b8845cc2d266c`
`font_02_sfnt_off00013104.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13104	16184 bytes
SHA-256: `75e56e6dc913dabd8b3c9cd5ea70025aeab0fff598b2ab24d9d660aeb9535195`

Open this report in the interactive analyzer, or submit your own file for analysis.