PDF malware analysis — malicious · e9dca39809de3b7e

MALICIOUS

PDF

81.2 KB Created: 2021-03-17 17:34:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20

MD5: 409494c871316e2e640a4d0a1f8d996a SHA-1: b2b416e82c4e61eddca94adb8f7c5f1dfec5e292 SHA-256: e9dca39809de3b7e1390d11b0a557b73375204eeef94a3a3544395cd165f2467

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an external URI and an SEO redirector link pointing to 'https://baarspo.ru/strik?utm_term=does+a+1%252F2+acre+need+a+riding+mower', which is likely used to deliver a malicious payload or conduct phishing. The document body, though heavily obfuscated, suggests a lure related to lawn mowers, which is likely a pretext for the malicious link.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/strik?utm_term=does+a+1%252F2+acre+need+a+riding+mower PDF link annotation
- https://cdn-cms.f-static.net/uploads/4412154/normal_604e327e12607.pdfIn PDF document text
- https://cdn.sqhk.co/gaxomawelej/iZgfDff/application_form_for_citizenship_uk_home_office.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4475406/normal_6008660a82123.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4460247/normal_600e0337d92df.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4403407/normal_5fcb329e433d6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368229/normal_5fd664af81a39.pdfIn PDF document text
- https://cdn.sqhk.co/marezotije/KBijHTz/cut_the_rope_time_travel_3-_9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/kopisigapub/adolescent_health_services_guidelines.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/43498b24-8cff-4112-8faa-879a591addc6/common_core_worksheets_math_4th_grade.pdfIn PDF document text
- https://s3.amazonaws.com/gapuruxumeg/tex_zipper_ludhiana.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b463e6e1-39e1-420f-a539-b16d9a016119/ethical_hacker_course_in_hindi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c6b7f215-ebd5-48de-9107-3c1a58abb625/vosoxapuduxifujalanabovel.pdfIn PDF document text
- https://s3.amazonaws.com/dazifozixawus/blue_iris_florist_washington_dc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c3fa730d-c492-4f60-916a-e5f3f247a2b7/89049643235.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/81d9c921-04ad-4b44-abbb-b85b8ba71289/ezdrummer_2_expansion_packs_mac.pdfIn PDF document text
- https://s3.amazonaws.com/fasudikek/74498627703.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/148b1a1f-c26e-4a90-8e4b-599a81677f32/sorudi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f089206b-6c3d-42bb-b780-a724f06a7244/web_design_typography_apps.pdfIn PDF document text
- https://s3.amazonaws.com/lakujusitejojet/certificate_template_design_abstract.pdfIn PDF document text
- https://s3.amazonaws.com/lofese/99707411147.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ff6a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFF6A	5536 bytes
SHA-256: `f9d430291368eb593fab811ef7634d9d0c6fdeb3834575522c3c67f57bfc791e`
`font_01_sfnt_off0001124c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1124C	10812 bytes
SHA-256: `f7ac334d6235cdbbfd617567a89ff6468276ef22d66001c4698cc941658fb2a4`

Open this report in the interactive analyzer, or submit your own file for analysis.