PDF malware analysis — malicious · e9f78df58969cc65

MALICIOUS

PDF

78.8 KB Created: 2021-04-07 01:26:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13

MD5: 4b6d8ee8b9a28417372ebb0be37db86a SHA-1: 4f251e8e4fa1aff37c570711f1827b8bd9e8e8eb SHA-256: e9f78df58969cc65afe88c8b7a47be768caaf98e29aa205f25aecfd322c1cdde

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized to appear as search results for specific documents. The primary URL, https://leonvi.ru/award?keyword=sobotta+atlas+of+human+anatomy+2+pdf, suggests a lure to a website that likely hosts malicious content or phishing pages. ClamAV and ML classifiers also flagged this PDF as malicious, indicating a high probability of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://leonvi.ru/award?keyword=sobotta+atlas+of+human+anatomy+2+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4385021/normal_5fe8e8b8a7c60.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4409258/normal_5ffbd6a291d86.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376127/normal_606647e5614f3.pdfIn PDF document text
- http://viziziziv.mywebcommunity.org/articles_of_confederation_essay.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416301/normal_60484e5195f8c.pdfIn PDF document text
- http://gaxesujite.medianewsonline.com/10263638827.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4409609/normal_60608ceaab119.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4500669/normal_603800111e6c8.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4370542/normal_5fc6cdba431cf.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/xarojapi/fadorosorapofir.pdfIn PDF document text
- https://s3.amazonaws.com/tenunud/chemsheets_task_12_buffer_solution_calculations.pdfIn PDF document text
- https://s3.amazonaws.com/rubidokezive/writing_two_step_equations_worksheet_7th_grade.pdfIn PDF document text
- http://nosigegu.onlinewebshop.net/40471867978.pdfIn PDF document text
- https://s3.amazonaws.com/pazerogasarinu/50683980275.pdfIn PDF document text
- https://315736c7-1030-4200-8d24-05c9f4951019.filesusr.com/ugd/d19ca0_e89214de045b4afcab012153e1625264.pdf?index=trueIn PDF document text
- https://50b44c92-959e-4a15-bf83-93d6b2b518d6.filesusr.com/ugd/3ed44c_2d92b9b8c0e74f5cb722d2446adf6ae2.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/zetubakuz/panasonic_ag_hmc150.pdfIn PDF document text
- https://s3.amazonaws.com/tanapilamaxi/serajawep.pdfIn PDF document text
- https://s3.amazonaws.com/vidadaviwal/26082345428.pdfIn PDF document text
- http://kijonag.onlinewebshop.net/neil_degrasse_tyson_astrophysics_in_a_hurry_free.pdfIn PDF document text
- https://eda93683-a6ca-45e9-8056-ca7adea7f1dc.filesusr.com/ugd/d655db_26dccb91f080405dba6dc01b484058eb.pdf?index=trueIn PDF document text
- https://0306adf0-382e-42f1-903d-71c3961c97f1.filesusr.com/ugd/7ff653_d8f3d82bfd2542fb8fe56a396825c2c4.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f563.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF563	5660 bytes
SHA-256: `469fcc2c2e0a80f76e4a1881566523341e7b7f9337b32ca67de86390c2eada7e`
`font_01_sfnt_off00010887.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10887	10984 bytes
SHA-256: `39e619b0a3ef6cf0f28ae10bbfb2f52c87298c94dc9b3d6246dce54d050f9f82`

Open this report in the interactive analyzer, or submit your own file for analysis.