PDF malware analysis — malicious · f2fbb180c83604f7

MALICIOUS

PDF

77.5 KB Created: 2021-05-21 04:02:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 5edc489bbd69d28aade5cde56f31489e SHA-1: f26b9b6c2b9652533cf3041d34a5e943807b454d SHA-256: f2fbb180c83604f779a9fd89009507d471e49e827a96efd5d0768aab7070a6de

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent link disguised as a movie download. This pattern is indicative of a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to a phishing or trojan payload delivered via the embedded links.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://vilenefex.ru/strik?utm_term=hacksaw+ridge+full+movie+in+hindi+dubbed+hd PDF link annotation
- https://sipizoreju.weebly.com/uploads/1/3/4/1/134131451/tadoruvawa_baxoziz_dadutoxorirok_fewosifuf.pdfIn PDF document text
- https://zitupakunetod.weebly.com/uploads/1/3/0/7/130739751/sifibekuxidof.pdfIn PDF document text
- https://kumenesasewoton.weebly.com/uploads/1/3/4/7/134773405/9438395.pdfIn PDF document text
- https://zoxusikajikad.weebly.com/uploads/1/3/4/8/134851315/0f36b7d5d793aa.pdfIn PDF document text
- https://lefazuditipuk.weebly.com/uploads/1/3/5/9/135967508/2412855.pdfIn PDF document text
- https://nakaleraba.weebly.com/uploads/1/3/4/6/134606700/tuvobisumizesoxu.pdfIn PDF document text
- https://xomitemekebok.weebly.com/uploads/1/3/4/8/134881854/zumowimurare.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/3e69910f-292e-41f8-bbcd-643c797c1cae/wj_iv_cog_subtest_descriptions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/849826ce-1353-4572-bdec-9d8ae7c7a059/programming_cuda_for_extreme_performance.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa39a9a5-4150-4603-b94e-14b55ce99cfc/4924286720.pdfIn PDF document text
- https://s3.amazonaws.com/memobofilenabon/how_often_should_an_outboard_motor_be_serviced.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e91545c7-59c6-41ff-ac4c-b8a6f22a5d06/mossberg_500_turkey_deer_combo_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ec359cfa-b725-4671-ad67-4803f3ebfeb9/15659495330.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7945dbe-40fe-4d00-b050-40de06f1c37d/93217605153.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a22a311a-4770-4362-8315-fdd01759659c/dell_b2375dnf_dfw_toner.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4759a9e-5898-4718-9902-0b0742818600/hoover_steamvac_deluxe_5_brush_agitator_not_working.pdfIn PDF document text
- https://s3.amazonaws.com/rufonali/36352640474.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b1b20945-bf26-4b01-8ea1-d294a6e8c7a8/53984914718.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e35b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE35B	5556 bytes
SHA-256: `156b3aa737dce8a6cb9c561be6e5ae7870bb2845f7004c9bdd40cae7dd23d3d0`
`font_01_sfnt_off0000f619.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF619	10568 bytes
SHA-256: `99db7e49e286b58f8692fae77fa9693594ab4f1780f08ded89e3409630b03b75`
`font_02_sfnt_off00011a44.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11A44	4324 bytes
SHA-256: `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`

Open this report in the interactive analyzer, or submit your own file for analysis.