Malicious PDF — malware analysis report

Static analysis result for SHA-256 18808dc94ec85693…

MALICIOUS

PDF

67.0 KB Created: 2021-02-19 02:15:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: e65caee57c51f4aec0cd9d2a4b8196e9 SHA-1: 20237b43fd3cbbe1ba956c4ffcbf37934566e208 SHA-256: 18808dc94ec85693d1ade782576e217a8e079f8fd00a18fe533d0b3d1fa1ec38
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ML classifiers and ClamAV as malicious. Heuristics indicate it functions as an advance-fee scam lure, presenting language related to lotteries, prizes, and parcel delivery. The document contains numerous external URIs, including one pointing to 'jacksth.ru', which likely serves as a landing page or part of the scam infrastructure. No scripts were extracted, but the PDF structure itself is leveraged for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=how+to+start+your+own+music+industry+pdf PDF link annotation
    • https://xogofodaromaf.weebly.com/uploads/1/3/4/3/134387758/lusafimafuzuzarafux.pdfIn PDF document text
    • http://lnstagram-blue-badge-form.com/coats_tire_changer_repair_partsrrsgz.pdfIn PDF document text
    • http://bijatutolime.iblogger.org/250_year_day-_date_reference_guide.pdfIn PDF document text
    • https://cdn.sqhk.co/wabajevebe/e6yigih/greenland_movie_trailer_release_date.pdfIn PDF document text
    • https://sidilatadafexu.weebly.com/uploads/1/3/1/1/131164021/xemitekopa_nimixukixilo.pdfIn PDF document text
    • https://cdn.sqhk.co/wupifufexix/gggSPgd/my_location_to_home.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484364/normal_6002e945dd24c.pdfIn PDF document text
    • https://cdn.sqhk.co/wirubetena/dha2pUs/mowopekogozag.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466379/normal_5fdb19e217325.pdfIn PDF document text
    • http://santand-es.com/reported_speech_examples_for_class_9793df.pdfIn PDF document text
    • http://raisinshq.pro/the_princess_diarist_reviewyjhwc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4373271/normal_6006cf8a00a95.pdfIn PDF document text
    • https://xaxazusilu.weebly.com/uploads/1/3/4/7/134757455/2229311.pdfIn PDF document text
    • http://waneboto.66ghz.com/jet_engine.pdfIn PDF document text
    • http://fitit.space/49136101086kkbza.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://zizematav.epizy.com/bufuzarexajame.pdfIn PDF document text
    • http://bodiluduf.rf.gd/lg_34cb99-w_refresh_rate.pdfIn PDF document text
    • http://javasuk.epizy.com/37828460612.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c628.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC628 5424 bytes
SHA-256: 82720ce47983c686f4b9b32370bef05e7765e00b7cf5e7a8b5ddf9c969a91416
font_01_sfnt_off0000d89b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD89B 11292 bytes
SHA-256: 540938563ce436a4642b57dd9ac84cab0d800f4ef7a9069321a8aae151ae6b7c