Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ce3c14684d259e6…

MALICIOUS

PDF

82.3 KB Created: 2021-05-21 03:51:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: df17732744e003135656712975db0919 SHA-1: 223ecfef4072a98a79df2b78909f72f1f3e19f56 SHA-256: 0ce3c14684d259e640eae85be3b7a84eab8b03f1d312e594bcddd01d62676695
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL pointing to a suspicious domain, identified by heuristics as a potential link farm and flagged by ClamAV as a phishing trojan. The document body, though partially corrupted, contains text related to 'passive transport across the plasma membrane', suggesting a lure to disguise the malicious intent. The presence of external links and the ML classification strongly indicate a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=transporte+pasivo+a+traves+de+la+membrana+plasmatica
    • https://dufebekeromodi.weebly.com/uploads/1/3/0/7/130776386/sejolitodorubad.pdf
    • https://cdn-cms.f-static.net/uploads/4470688/normal_604cfdae51fda.pdf
    • https://katesagi.weebly.com/uploads/1/3/4/8/134864962/2110822.pdf
    • https://static.s123-cdn-static.com/uploads/4407327/normal_6002d77496253.pdf
    • https://cdn-cms.f-static.net/uploads/4467577/normal_60651d8d77bd5.pdf
    • https://gapepaweduli.weebly.com/uploads/1/3/5/4/135400658/2080767.pdf
    • https://cdn-cms.f-static.net/uploads/4444856/normal_6057e02111092.pdf
    • https://cdn-cms.f-static.net/uploads/4482191/normal_6013f052c4d3a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/bc041579-f1e1-450f-8be9-1812d58c2235/37636146504.pdf
    • https://s3.amazonaws.com/bededuxotulapil/guwizape.pdf
    • https://uploads.strikinglycdn.com/files/38e3327c-6bc1-4aef-ac29-1b604ffc0068/lonaguludixofitanagezuge.pdf
    • https://s3.amazonaws.com/pibabopuduj/lenojaworeweviminofaj.pdf
    • https://s3.amazonaws.com/gulapore/bushnell_telescope_manual_78-_9960.pdf
    • https://uploads.strikinglycdn.com/files/e2ccd848-31e6-414a-a4f6-bcf4903bc829/construction_project_manager_salary_austin_texas.pdf
    • https://uploads.strikinglycdn.com/files/8e67f28e-f71e-4f9a-bdcf-0156aad475a7/pizomejenedumodutomotivo.pdf
    • https://uploads.strikinglycdn.com/files/20bb4628-9866-490f-b281-a67009723c52/57299861283.pdf
    • https://uploads.strikinglycdn.com/files/0d7dd6d6-839f-411d-9c95-d3c292645185/hp_laserjet_p2035_change_toner.pdf
    • https://uploads.strikinglycdn.com/files/cdaa24b0-e6e2-40af-9984-f5680011e42f/exalted_2e_charm_cascades.pdf
    • https://uploads.strikinglycdn.com/files/afe70969-e490-4484-9f90-f182d8e3275f/8002848891.pdf
    • https://uploads.strikinglycdn.com/files/63e82bcb-0310-4597-86cb-bc4056872110/where_is_the_filter_on_my_top_load_lg_washing_machine.pdf
    • https://uploads.strikinglycdn.com/files/a30cd316-493c-4b46-bed4-fb0a00ff1f9d/ryobi_battery_charger_both_lights_flashing.pdf
    • https://uploads.strikinglycdn.com/files/bdbab69f-75ff-4a16-b561-296e482eb0a9/12239260806.pdf
    • https://uploads.strikinglycdn.com/files/fe8a9d58-68d1-4739-b4f7-e0a1afd1c09e/stanley_1000-amp_peak_jump_starter_with_compressor_manual.pdf
    • https://s3.amazonaws.com/minabiwa/xufipodemawe.pdf
    • https://uploads.strikinglycdn.com/files/b0172a4d-cd76-44c3-b60f-2c1358fbd812/76224986347.pdf
    • https://uploads.strikinglycdn.com/files/16992694-8d23-4592-9d40-c62a20056247/gatajudawefobuz.pdf
    • https://uploads.strikinglycdn.com/files/29eec536-767b-4484-86f3-7df488b403f6/sifujegepazirim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f443.bin
d3421113cadaffe9b50ef7606d406b25f14233d8fdb54d39c5122405e96a847e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF443 5156 bytes
font_01_sfnt_off000105a9.bin
1ac1513a46fde7360f4e69231c160f0478a6e97bd35c674c09d0846448cffb40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105A9 11352 bytes
font_02_sfnt_off00012af9.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AF9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.