PDF malware analysis — malicious · 0b2a95f39ece0874

MALICIOUS

PDF

126.5 KB Created: 2021-03-12 14:54:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 291613086dfea234234c0fd7d3cde0c1 SHA-1: 79e083785881cee7db46be20db09f9e017bbc70c SHA-256: 0b2a95f39ece087439c6e35f2f9d258fa9f154509b53dec5784da9e4d8ba5f8d

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link farm designed to direct users to various external resources, masquerading as legitimate documents. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly indicates that the document's content is intended to deceive users into believing they are involved in a lottery or prize scheme, a common tactic for advance-fee fraud. The presence of numerous external links, many on disposable hosting, further supports this malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 7

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/123?utm_term=income+guidelines+for+affidavit+of+support+2015
- http://gaxazoxisis.22web.org/what_to_mix_with_crown_royal_black.pdf
- http://jevopapivixepe.iblogger.org/lucid_dreams_sheet_music_clarinet.pdf
- https://ladunibik.weebly.com/uploads/1/3/4/0/134096621/tuzesaxewofotusor.pdf
- https://vebunigujop.weebly.com/uploads/1/3/4/3/134367951/xixozovoso.pdf
- http://xasujaru.22web.org/vuvifegabawevuruja.pdf
- http://riwetisanuda.iblogger.org/kevemelazuzobar.pdf
- https://fepepifufom.weebly.com/uploads/1/3/1/8/131872298/32e62aca3d17220.pdf
- http://jujasoje.iblogger.org/disupidiwufegawur.pdf
- https://pebabole.weebly.com/uploads/1/3/4/6/134698512/tufokuso.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_046119c68aea4a2e9a4b449ea5341346.pdf?index=true
- http://pebotavafusu.epizy.com/happy_birthday_jesus_violin_sheet_music.pdf
- https://367e539a-c541-4439-991c-4bf2bef2aa7a.filesusr.com/ugd/77d535_e32f4abfd4f8445c9821bac3db10dd14.pdf?index=true
- https://uploads.strikinglycdn.com/files/989d9c77-6b1a-457d-b46b-0b4f80abe18d/will_voyager_reach_another_solar_system.pdf
- http://luwusifijusu.rf.gd/disoju.pdf
- http://suvumudupese.epizy.com/52929027445.pdf
- https://uploads.strikinglycdn.com/files/bfdfa94a-9de2-4207-bef3-d415b546b22c/76798262511.pdf
- https://c8a164a7-2549-4056-b209-d27d417f800b.filesusr.com/ugd/136d3d_e993db1132b348a18aaab79c83eb48a3.pdf?index=true
- https://uploads.strikinglycdn.com/files/43c919ab-9bf1-4f7b-8ea1-30441cd33def/38080659074.pdf
- https://4be8a7ba-6c9a-47a4-99fc-a5961b41a404.filesusr.com/ugd/132250_b443fcf1d8644da1a6b155bf64ce3e5a.pdf?index=true
- https://uploads.strikinglycdn.com/files/992c69d0-949c-4373-a453-7d96b0458ad3/pomujimadipaje.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000199ba.bin` `feb7b0a231daa5869376ede745e3710e8328e703e54e7a1fa61048461e3e1f84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x199BA	2864 bytes
`font_01_sfnt_off0001a3ea.bin` `8dd8267c76c75f587fc3eb1996f5bca393665a50ee77cdd7f6a495f37878e9bf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A3EA	5804 bytes
`font_02_sfnt_off0001b797.bin` `60ca817733a9ef2e5ff97a62e0160e116e53b11525889fd4217aad6a754ae7ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B797	11260 bytes
`font_03_sfnt_off0001dd9a.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1DD9A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.