PDF malware analysis — malicious · f363c1bcd4b9cd08

MALICIOUS

PDF

78.3 KB Created: 2021-04-02 15:29:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25

MD5: 65dd0f8c350af0d08955606a544e9e08 SHA-1: 391282e3ff7a4376cf0a18238a33b425f4412b4a SHA-256: f363c1bcd4b9cd08f82c49390bb27625f702b3700c3233a0a84710585b492a66

244 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically identified as a malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body is heavily obfuscated, but the presence of link farms and a malicious redirector suggests an attempt to lure users to external malicious sites, likely for phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crophysi.ru/award?keyword=bp+chart+age+wise+pdf In PDF document text
- https://fibimijisu.weebly.com/uploads/1/3/4/4/134461798/filirozugafa_midava_fogesupigog.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4497688/normal_605c5dfdc1936.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481157/normal_605c68cddb22f.pdfIn PDF document text
- https://tozovugoji.weebly.com/uploads/1/3/1/6/131606343/8889449.pdfIn PDF document text
- http://robolab.one/155666902485ysjo.pdfIn PDF document text
- https://sevokubataper.weebly.com/uploads/1/3/0/8/130814346/1289089.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454803/normal_605f92ec973e4.pdfIn PDF document text
- http://wiinorama.fun/ouz_atay_eserleriskgun.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373004/normal_5fda4a888f324.pdfIn PDF document text
- http://bbflowers.net/xutivenomuxomipobutrvvw.pdfIn PDF document text
- http://geosen.net/715168319330z020.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://438c9214-13ba-44a2-8469-a4c97ff43377.filesusr.com/ugd/5d46a0_61bbf4175aec4f38855aadda14600a4a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/gotenukevepunin/59892486508.pdfIn PDF document text
- https://s3.amazonaws.com/fadupazageraf/najofeporini.pdfIn PDF document text
- https://s3.amazonaws.com/dubiditiginowo/33881200648.pdfIn PDF document text
- https://f59c0a4d-c104-43ac-8966-a5978cdf1b8c.filesusr.com/ugd/0c1ebd_65f2fd68746f489fb0cbe8b9da9635d4.pdf?index=trueIn PDF document text
- https://18b62485-dce0-4e35-9712-b1d1f13fcb23.filesusr.com/ugd/296484_8a772c62ef3347f597f16a2652bb3713.pdf?index=trueIn PDF document text
- https://b1b0174c-961c-4936-87f6-765e1132391e.filesusr.com/ugd/6cf804_4ff2206afa1a460fb09635adb4293166.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/najubu/sad_shayari_wallpaper_full_hd.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f3c7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF3C7	5528 bytes
SHA-256: `2f6c35ece76d21158b99fb00d0a11a0b4205e406e77a5a9691f618e718abb7a2`
`font_01_sfnt_off000106a4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x106A4	11020 bytes
SHA-256: `d04ce70aaf06b055ea14c322fc53df9c18e8b56c8f23764bd24b5064c12c02ac`

Open this report in the interactive analyzer, or submit your own file for analysis.