PDF malware analysis — malicious · fc84692b2b3bd51c

MALICIOUS

PDF

83.3 KB Created: 2021-04-04 05:56:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23

MD5: a30aa800463d364df97d3f4d14e4a6c4 SHA-1: dee99c0c1664cb9f55d115a98e2f29bde4aca293 SHA-256: fc84692b2b3bd51c60f6aa1d736ff5260f275d130a5d00a61c4d3030d76e583f

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a critical heuristic indicating it links to known malicious redirector infrastructure. The ML classifier also assigned a high probability of maliciousness. The embedded URL, 'https://dafemum.ru/award?keyword=architectural+design+concept+ideas+pdf', is the primary indicator of malicious intent, likely serving as a lure for phishing or to download further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dafemum.ru/award?keyword=architectural+design+concept+ideas+pdf In PDF document text
- https://sabexezoguge.weebly.com/uploads/1/3/1/4/131483217/527e28274.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4450519/normal_5febe54620516.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371509/normal_605b0742c3421.pdfIn PDF document text
- http://rankingcoach-seo.com/44388014878jgqow.pdfIn PDF document text
- https://dafuzimobolu.weebly.com/uploads/1/3/4/4/134498283/36c51d4aec6125.pdfIn PDF document text
- http://inostrana.com/nuxuveso6dhng.pdfIn PDF document text
- http://titanof-filtr.ru/rulaxikuwiruse4cnh3.pdfIn PDF document text
- http://betmoy57.com/stock_market_charts_live_uk8zunj.pdfIn PDF document text
- https://movimuwetimegi.weebly.com/uploads/1/3/4/3/134342740/riwufojujorege.pdfIn PDF document text
- http://wiinorama.fun/8414027499adm46.pdfIn PDF document text
- http://ceter.xyz/giwubopevugefon9gf6.pdfIn PDF document text
- http://tehnotop.space/5047323439pqesf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375884/normal_6033dd2422c78.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4386091/normal_605227884aca8.pdfIn PDF document text
- https://lamobivuletopuk.weebly.com/uploads/1/3/4/8/134863798/6476463.pdfIn PDF document text
- http://usacreditcheck.info/beguiling_affix_guideutc3c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473056/normal_6032e246680e9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/5a878d5e-9f5a-493a-bad2-0ed39ea2b41a/kenmore_70_pint_dehumidifier_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e43e3dfd-562a-4b8e-b8eb-fb451b533e4f/surah_al_mulk_full_download.pdfIn PDF document text
- https://7ffe38df-ef78-47a1-8632-a9c579db478a.filesusr.com/ugd/8ff694_7e8eee9c8e68474dabc2d22fffd72fd2.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/565ef425-257e-4616-9294-6d91aaf70144/company_profile_template_free_download.pdfIn PDF document text
- https://25cf7bc6-226b-4013-96fa-c64d334b7dac.filesusr.com/ugd/317e1a_d526888cf6b74a9491636f486b34e13b.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001073b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1073B	5408 bytes
SHA-256: `8fe11dde524a1a5667ba7f6b4334bd4e55f6b81a3c975a62f0a1e9e93306cad6`
`font_01_sfnt_off0001199a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1199A	11244 bytes
SHA-256: `7beb0f4a15ac6534225dc98edaf0a6ea3fa2fae92563e8406a170a781c27478d`

Open this report in the interactive analyzer, or submit your own file for analysis.