PDF malware analysis — malicious · fb29c40e9d4fc640

MALICIOUS

PDF

86.7 KB Created: 2021-05-15 13:46:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16

MD5: daf62e60f2a2390785b8f6619eeec96e SHA-1: bdc059d4206ecc2b8a6ef4e2bd6086b4ce6496d7 SHA-256: fb29c40e9d4fc64012309d82b70fa151ed135821028dc94f6a6bf6a4edd9b7f4

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was identified as malicious by ML classification and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The primary URL, 'https://leonvi.ru/strik?utm_term=oppo+105+for+sale', appears to be a lure for potential victims.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://leonvi.ru/strik?utm_term=oppo+105+for+sale PDF link annotation
- https://cdn.sqhk.co/mizopopowaze/nvjioig/ugcc_game_server_control_panel.pdfIn PDF document text
- https://rigagebefizo.weebly.com/uploads/1/3/4/6/134631069/7eb79.pdfIn PDF document text
- https://sagejajake.weebly.com/uploads/1/3/5/3/135303377/67a57219d2.pdfIn PDF document text
- https://nizidisifa.weebly.com/uploads/1/3/4/5/134505067/26c05de681760.pdfIn PDF document text
- https://jaxoruxevag.weebly.com/uploads/1/3/1/6/131606876/rumijopotisu.pdfIn PDF document text
- https://xukizawumu.weebly.com/uploads/1/3/1/3/131380236/pibonefidelen.pdfIn PDF document text
- https://cdn.sqhk.co/widafopaj/bls9nAe/66145375033.pdfIn PDF document text
- https://lutesikesopisej.weebly.com/uploads/1/3/4/8/134884151/numur.pdfIn PDF document text
- https://janepaxe.weebly.com/uploads/1/3/4/0/134097288/7701382.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://e7ba4f66-d023-404d-a355-a5b98970f127.filesusr.com/ugd/cac9e4_76f664660a3f4d2a8ece3182afc7b91e.pdf?index=trueIn PDF document text
- https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_5fc582f8066a4fe6a51634526daedd12.pdf?index=trueIn PDF document text
- https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_de528f6eecae461794dd6d1311580446.pdf?index=trueIn PDF document text
- https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_028c8711e289421aa02c34595358a5a4.pdf?index=trueIn PDF document text
- https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_4a6a2383ade440d9a55b7f7325daa7ae.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/remeranexe/wizard_subclasses_5e_rpgbot.pdfIn PDF document text
- https://s3.amazonaws.com/xetasif/tokamogixirafomu.pdfIn PDF document text
- https://s3.amazonaws.com/dujepav/79652454529.pdfIn PDF document text
- https://f1ddcea9-c323-452c-a4d3-aaefec61e50a.filesusr.com/ugd/defd8a_71efc32b8f5c40039b6d0693120d34ea.pdf?index=trueIn PDF document text
- https://070488ba-e3d9-4c74-834b-445551f5513c.filesusr.com/ugd/fb83f1_b4989433ac49485aa89b2677558c75a7.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001130a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1130A	5240 bytes
SHA-256: `132302702142c6a15352cb722415b0ae58f5e5847c5a0aa7b566fb4c9e0967e4`
`font_01_sfnt_off000124f7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x124F7	12164 bytes
SHA-256: `d5e1284457446a93d10a13f4aaa1743de6fef48b94e4784989f0e9b1ee89dd3d`

Open this report in the interactive analyzer, or submit your own file for analysis.