PDF malware analysis — malicious · f0e05e93eb6b531f

MALICIOUS

PDF

78.9 KB Created: 2021-06-05 03:04:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1ade4ce050389d27134328d91f5b6c9c SHA-1: bea7d1341a75013e052e029e6654f38b0dce6fe0 SHA-256: f0e05e93eb6b531fa19f1342b053fa0b1ad97ae1db6082ea35b4d24fac3e004a

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a significant heuristic firing indicating a large link farm. The document body, though heavily obfuscated, contains text related to a 'Brawl Stars gem generator', suggesting a phishing or scam lure. The presence of external URIs and a link farm points towards an attempt to redirect users to potentially malicious sites, possibly for credential harvesting or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.7050

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nomylo.ru/pbw?utm_term=brawl+stars+gem+generator+no+human+verification+or+survey+2021
- https://tuvuneboginat.weebly.com/uploads/1/3/1/6/131606819/tutewizabux_vobekeg.pdf
- https://cdn-cms.f-static.net/uploads/4381766/normal_6021856ce3766.pdf
- https://negapisege.weebly.com/uploads/1/3/4/6/134635707/wupuxisikun.pdf
- https://xajekegok.weebly.com/uploads/1/3/3/9/133997321/wufelivubikivi.pdf
- https://cdn-cms.f-static.net/uploads/4411489/normal_5fe79bd289d83.pdf
- https://cdn-cms.f-static.net/uploads/4416490/normal_5fd19f0b88b73.pdf
- https://cdn-cms.f-static.net/uploads/4470412/normal_601a6cbe241dd.pdf
- https://cdn-cms.f-static.net/uploads/4373527/normal_6062e3140a9af.pdf
- https://cdn-cms.f-static.net/uploads/4391634/normal_602e559ba580f.pdf
- https://static.s123-cdn-static.com/uploads/4448094/normal_5fec4091eba57.pdf
- https://rewiwolidinagi.weebly.com/uploads/1/3/4/4/134481042/6cef0e8ce.pdf
- https://static.s123-cdn-static.com/uploads/4443329/normal_5ffc5a3248114.pdf
- https://static.s123-cdn-static.com/uploads/4382420/normal_6004e2c32a25e.pdf
- https://cdn-cms.f-static.net/uploads/4482207/normal_6060056922613.pdf
- https://static.s123-cdn-static-d.com/uploads/4446170/normal_60b5b2f2d4014.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://jesababa.pbworks.com/w/file/fetch/144425154/85575134251.pdf
- https://uploads.strikinglycdn.com/files/20227d41-0a17-443f-831b-84514cd834b3/37709776255.pdf
- https://uploads.strikinglycdn.com/files/e11f61c0-94ee-4513-854a-05a541e3ac26/where_can_i_buy_blood_pressure_monitors.pdf
- http://zexowisam.pbworks.com/w/file/fetch/144427884/el_manual_de_los_jovenes_castores.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eab9.bin` `a4fdb4b15546c903b6defbf09875e926fcc076e07df276780db3d9f52670a06c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEAB9	5924 bytes
`font_01_sfnt_off0000fee6.bin` `f247613d2cf5575028429979d288d986e830c119e0c4b1deab0154eed2e07c56`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFEE6	11336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.