PDF malware analysis — malicious · fe88f61abbb4d6f1

MALICIOUS

PDF

79.3 KB Created: 2021-03-30 05:31:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02

MD5: ad518f5a728ad87e7f72a5ad200655ea SHA-1: fa70059be7a44505fa7eb4c75bc09ee1d8c89c86 SHA-256: fe88f61abbb4d6f13f0d08dcc9fca4ce1c08776e6ae405fd6672269740d277d4

166 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

This PDF document is identified as malicious by an ML classifier and exhibits characteristics of a social engineering attack (ClickFix). It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious content. The document body, though partially corrupted, indicates it is disguised as a search result for a technical topic, likely to trick users into clicking links that could lead to further compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/award?keyword=difference+between+uefi+and+bios+pdf PDF link annotation
- https://rulukipa.weebly.com/uploads/1/3/4/3/134329123/dowoxarulasesitasav.pdfIn PDF document text
- http://busimaderule.mywebcommunity.org/wedding_march_music.pdfIn PDF document text
- https://kowalarezanir.weebly.com/uploads/1/3/1/4/131438161/wabasume.pdfIn PDF document text
- https://xuzomavarek.weebly.com/uploads/1/3/1/3/131383242/fepoj.pdfIn PDF document text
- https://gudivolopuna.weebly.com/uploads/1/3/5/3/135346868/0ac0b643f.pdfIn PDF document text
- http://mobeditobaxul.scienceontheweb.net/2011_vw_jetta_2.5_transmission_fluid_change.pdfIn PDF document text
- https://gitokivoj.weebly.com/uploads/1/3/4/3/134316846/8875481.pdfIn PDF document text
- https://tipolapuponawog.weebly.com/uploads/1/3/2/6/132696210/4571201.pdfIn PDF document text
- https://bisuduroj.weebly.com/uploads/1/3/4/7/134714880/xalazumu.pdfIn PDF document text
- https://gogabaxada.weebly.com/uploads/1/3/4/8/134852864/d9dc30223.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://telosizaba.onlinewebshop.net/moravukurapimasebabilaxud.pdfIn PDF document text
- https://s3.amazonaws.com/juvosi/chauvet_amhaze_whisper_manual.pdfIn PDF document text
- https://4e4301d6-cc9a-4939-960a-6b497c1efea6.filesusr.com/ugd/d78803_442680d09b1a449aa222e07ed0e8a435.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/jivagajamav/76417319706.pdfIn PDF document text
- https://e9b66cc5-9289-431c-8f17-6739e1cd2d88.filesusr.com/ugd/c8f33b_94b8e238736d413f9be12e340847d6d0.pdf?index=trueIn PDF document text
- http://pejemevogoge.myartsonline.com/tukigimitudugoduj.pdfIn PDF document text
- https://1628ddcf-e301-416d-9649-d9339b85441b.filesusr.com/ugd/0b1079_bd7f2f16aeca44aebbd2fef4035500bd.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/purixifusipelid/xukamebisunesibifa.pdfIn PDF document text
- http://bebojivim.myartsonline.com/que_es_un_bosque_tropical.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f7ce.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF7CE	5348 bytes
SHA-256: `bd1433d59b7afe8b91efcf0ee9ae7f5a01e645ed2286148e8f41cdf8ea20d095`
`font_01_sfnt_off00010a1b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10A1B	11116 bytes
SHA-256: `8768f2d97a92c05f9fc4ea8ebd5d61376d234b18067f3fc1552ac9873ab8d505`

Open this report in the interactive analyzer, or submit your own file for analysis.