PDF malware analysis — malicious · ed4531b5bb39119a

MALICIOUS

PDF

74.0 KB Created: 2021-03-09 19:24:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fda285ebdaa3a72df1f7bc99a610273e SHA-1: 6866067db89fd40a81a91d60f73c2380e87a11cd SHA-256: ed4531b5bb39119a97ea7d511195d1a25959f507cab25ee5c207299135813721

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1539 Steal Application Data T1059.007 JavaScript

This PDF document was flagged as malicious by a ML classifier and ClamAV, and exhibits characteristics of a credential harvesting lure. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to obscure the ultimate destination. The heuristic 'SE_MFA_LURE' indicates the document likely prompts users for one-time codes or MFA approval, a common tactic for stealing session tokens or abusing multi-factor authentication. No scripts were extracted, but the presence of numerous external URLs points to a phishing or redirection scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9960

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://botokaw.ru/123?utm_term=google+account+manager+apk+8.+0
- https://koloxajemixe.weebly.com/uploads/1/3/1/4/131482821/zovig_masuxediso_jasumugeruda_fejalukorex.pdf
- http://kigirifaduguv.getenjoyment.net/lenovo_y50_70_camera_drivers_windows_10_64_bit.pdf
- https://dezojase.weebly.com/uploads/1/3/4/7/134711134/5799443e2d89.pdf
- http://warixedivukinat.mygamesonline.org/2012_jeep_grand_cherokee_srt8_0-60.pdf
- https://vekaforu.weebly.com/uploads/1/3/4/7/134747957/jitogedobozi.pdf
- http://kudusakepupa.sportsontheweb.net/chemical_weathering_and_mechanical_weathering_differences.pdf
- https://poxejoretojav.weebly.com/uploads/1/3/4/7/134740271/616850.pdf
- http://jabisoj.22web.org/sisuvi.pdf
- https://wovugozota.weebly.com/uploads/1/3/2/6/132695813/gipanawurofifexuz.pdf
- https://fivipogokofabid.weebly.com/uploads/1/3/0/7/130776003/denofafexogoponubote.pdf
- https://remanajuzox.weebly.com/uploads/1/3/1/4/131437778/4212482.pdf
- https://zanubago.weebly.com/uploads/1/3/4/8/134886268/5cb2d99b956891.pdf
- https://tonavibete.weebly.com/uploads/1/3/4/7/134748981/4535379.pdf
- http://peromopativej.mypressonline.com/23345592995.pdf
- https://mewukonil.weebly.com/uploads/1/3/4/0/134096476/zudagomeki.pdf
- https://fakanodadix.weebly.com/uploads/1/3/4/3/134371587/juzasesos.pdf
- https://tamidotojo.weebly.com/uploads/1/3/1/8/131858916/xedasebu_dugikogawejol_vusop_kavuxewaweg.pdf
- https://kefavemi.weebly.com/uploads/1/3/4/0/134042724/0e657bf.pdf
- http://siviveko.getenjoyment.net/zajapaza.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://vikigadawemak.rf.gd/pejifemenojotemarutiloz.pdf
- https://s3.amazonaws.com/xefejevife/54491899927.pdf
- https://s3.amazonaws.com/legapatatezisa/kexolokosubafetefekanu.pdf
- https://s3.amazonaws.com/bezegoluzose/mahwah_nj_weather_report.pdf
- http://pomedunud.epizy.com/lubuniwigip.pdf
- http://rupufunolodul.rf.gd/26048094392.pdf
- http://vavijirodujozi.rf.gd/clip_studio_assets_won_t.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e3b4.bin` `11a072eecd9ae22b37e699f2f9ca90b93d1dee6bbeeadb5f5dea83c6afad8abd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE3B4	5536 bytes
`font_01_sfnt_off0000f680.bin` `bf77db9dd6616f50a1d704bce8b6670082509f9a16ab3791ae194a6739a62f84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF680	10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.