Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f3843d063a95913…

MALICIOUS

PDF

92.2 KB Created: 2021-03-24 10:42:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0a2d27f0fe3bada9c3f836a7a5d1f02 SHA-1: d38251bd0a2d7f483a93bba316005b708b1975c4 SHA-256: 1f3843d063a95913cdf35abf6ef6d1aa398e3e2a1e15574ed563b409fd7a5ff6
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a "lumper receipt pdf" lure, as indicated by the document body and the SE_INVOICE_LURE heuristic. It embeds multiple external URIs, with a primary malicious-looking URL pointing to 'soxebez.ru'. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to download a second-stage payload. No scripts were extracted, but the PDF structure and embedded URIs are indicative of a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=lumper+receipt+pdf
    • https://cdn-cms.f-static.net/uploads/4491445/normal_5fe826dfb19f1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/863f95e2-54e4-467f-9694-ed237acd4544/black_and_decker_toaster_oven_manual_to3260xsbd.pdf
    • http://gixisenusadat.rf.gd/farudejidoxit.pdf
    • https://uploads.strikinglycdn.com/files/3119b488-c616-4e66-ba03-bd7034cf1ae1/37029870473.pdf
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_ccd099bd2dd74066ad275f08dc3edc7c.pdf?index=true
    • https://f2fffe36-c7b4-4b88-9608-518dc6c14750.filesusr.com/ugd/950b2a_128a39871d634e2fbba7dd4c96954ec5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ffa70661-c634-44b7-9976-4a945163477c/65689283.pdf
    • https://uploads.strikinglycdn.com/files/d8f5673a-f974-42e8-9959-dabff6c62d02/13274935974.pdf
    • https://32e47638-7206-44c1-ad53-5c6f9176402e.filesusr.com/ugd/e00742_69c5dfdc89594d9093c7db253a409e01.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c2517de4-7e93-48ee-a53e-22b8a0e9e2bd/what_is_the_electron_geometry_for_h2o_molecule.pdf
    • https://d8d078ea-10ec-4787-8e21-ef6e32b87a24.filesusr.com/ugd/8f6098_88ea9fba206442e88d23174c19c789c2.pdf?index=true
    • http://remigesej.epizy.com/jawevibilufawojimudepega.pdf
    • https://c0771fee-1ba5-4dbf-bba5-a775c3d44c03.filesusr.com/ugd/544e7e_c59090a2b172475f8e0d89ff41465440.pdf?index=true
    • https://2a403a33-5f6e-4534-96f9-742aa7325afc.filesusr.com/ugd/d2da83_a244a8fe1b454543a451231a403fba6b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1da12184-4640-434f-905e-acf10b2013ad/paganufifogerivofudaloke.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000113f7.bin
f7e3e8dcd394da4f3b6fe04aa1e11d18abe368de1e2dbe0cc87507eac8114952		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113F7 4824 bytes
font_01_sfnt_off0001244b.bin
12e1a33af55dfb1d050f765a7374a511dc5ed00982453cbab118078e1a0da157		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1244B 12524 bytes
font_02_sfnt_off00014eea.bin
5bfda07072dd2e1b0df7f1680a75ba616774ec51e1a09c257f000ba239241e1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14EEA 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.