PDF malware analysis — malicious · fe07634e4dc87b7b

MALICIOUS

PDF

83.5 KB Created: 2021-03-19 20:24:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13

MD5: 7423f3c7b2144dac9e34427e35ea8a53 SHA-1: a0b98ea889951ddfabd66e26d58e2a9187e7cf18 SHA-256: fe07634e4dc87b7bc0b082ed7acf3a42f228c0f9a60e3cf32e17f959ef4b3af1

186 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and an ML classifier, specifically flagged as a phishing trojan. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spamming operation. The primary purpose appears to be directing users to external, potentially malicious, websites.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://leonvi.ru/wix?keyword=fired+heater+design+calculation PDF link annotation
- https://cdn-cms.f-static.net/uploads/4411932/normal_601840634b2cf.pdfIn PDF document text
- https://firebawoba.weebly.com/uploads/1/3/4/6/134659507/a7b95.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4463808/normal_5ff9ec422b69f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4420238/normal_5fdef42e0d8ac.pdfIn PDF document text
- https://mafizawejibon.weebly.com/uploads/1/3/1/3/131383772/8724797.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495400/normal_602a51d3efe8c.pdfIn PDF document text
- https://belujewirozem.weebly.com/uploads/1/3/2/6/132681559/lexebutovemi_nobodavudoperig_venukuz.pdfIn PDF document text
- http://zabixalufam.iblogger.org/diablo_3_ps4_gameplay_co-op.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tijogolovizupi.rf.gd/8981849218.pdfIn PDF document text
- http://panejolaraluka.rf.gd/languageguide._org_english_grammar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/017a193f-ecd8-454a-89a8-b80666b84182/stoeger_m3500_benelli_parts.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d2e976fb-df69-4157-92db-cd986e7bc484/how_do_you_turn_on_a_verizon_flip_phone.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e44953bd-38cc-4784-9008-0e2451ca5b98/cdigo_ui-113_netflix_smart_tv_lg.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d1e1d457-e61f-4213-808c-d0febea78acf/best_movie_maker_app_for_windows_10_free.pdfIn PDF document text
- http://vodupuginotipir.rf.gd/what_is_bacteriophage.pdfIn PDF document text
- http://sidiwen.epizy.com/types_of_cascading_style_sheets_in_html.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b02b6afd-d5dc-4643-b34d-0e4feb3d11b6/99656991850.pdfIn PDF document text
- http://fegidil.rf.gd/27837027602.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5dccb41d-ca30-4117-8ce7-c8784bd80b84/fokurazazovonivijumi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4c9105c3-2b1f-4ffa-9b46-758141332cda/fojorabudupixovif.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a393aca0-74b2-4423-ae8c-bdc1188d6027/12010436858.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000109df.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x109DF	5156 bytes
SHA-256: `1965dfba0d99ed1f93eaf40e9077c2d5ec89ec0587b98fa395ee4686e0288d23`
`font_01_sfnt_off00011b66.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11B66	10888 bytes
SHA-256: `430fe18074f024b3659d7fb02ec44a626f00fbc3af47fcb7316c2318960cd334`

Open this report in the interactive analyzer, or submit your own file for analysis.