Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b2464e2d3a7597f…

MALICIOUS

PDF

91.8 KB Created: 2021-03-25 01:19:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75a20b227b2f8d312ef753b5bc0c9bee SHA-1: d5a18a9172a0a64d98008acc1c9e118033ffb953 SHA-256: 2b2464e2d3a7597f8fb73db76dfba33959e92d1e94da99a0988ed4ba011d41de
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to S3 buckets and other file-hosting services, suggesting a link farm or distribution network. The 'SE_ADVANCE_FEE_SCAM_LURE' heuristic indicates the document's content is designed to trick users with promises of prizes or funds, a common tactic for advance-fee fraud. The presence of external URIs and the ClamAV detection strongly suggest malicious intent, likely to deliver a phishing or scam document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=fish+in+a+tree+pdf+free+download
    • https://nasaxedinevizuv.weebly.com/uploads/1/3/4/7/134759800/zexiperolizuk.pdf
    • https://tabajojimito.weebly.com/uploads/1/3/4/3/134317549/1727611.pdf
    • https://cdn.sqhk.co/puwidebudojo/djbgjwt/janerur.pdf
    • https://zulafadosulivi.weebly.com/uploads/1/3/4/3/134305332/kaligopurolaba_nogusaxuwajav_xufizilefusut_fubukipaden.pdf
    • https://joxisewegiwazev.weebly.com/uploads/1/3/4/6/134669132/luduzukidajiwovovep.pdf
    • https://cdn.sqhk.co/fedukifenufu/ggYjbPE/gavune.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xesigeze/19171700754.pdf
    • https://uploads.strikinglycdn.com/files/e8920697-c90e-491c-bd22-7151155a004a/nalibosajosipixumanujaj.pdf
    • https://s3.amazonaws.com/lurutopobi/6085128858.pdf
    • https://s3.amazonaws.com/bagisi/wa_police_online_crash_report_form.pdf
    • https://uploads.strikinglycdn.com/files/38680d68-d479-4bfa-a4b0-b8912c268b59/vizio_sound_bar_setup_no_remote.pdf
    • https://uploads.strikinglycdn.com/files/e3b03f77-9b22-4483-8e4f-c58af743c966/32251160585.pdf
    • https://uploads.strikinglycdn.com/files/68826fb6-21ec-484a-8466-716e5ee812fe/nepexusetizezuso.pdf
    • https://9e730ba1-499c-413e-9a09-8a81f8121270.filesusr.com/ugd/0a0016_96bfc61505d340cb9162713059a9cb01.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ad0df016-cafd-460d-9393-ade2094ea079/33768330237.pdf
    • https://3a7b682b-4b85-4b21-836a-a34929c8735b.filesusr.com/ugd/0cd3a8_d67d5e7d7c49445c818c21dea00b8ffc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e02034aa-170c-4506-bcd8-fe9470abd7e3/25362359874.pdf
    • https://uploads.strikinglycdn.com/files/82d55b80-5fe2-4976-85a9-3d19919c54a3/the_miseducation_of_cameron_post_film_review.pdf
    • https://00c0516a-c822-4344-a779-6f74e039753d.filesusr.com/ugd/9e41f0_7ae9e74404a240c7b01d72e710f26c8d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f1958057-56fa-4196-a766-0f135754ce77/nilogejebivepekipukofe.pdf
    • https://uploads.strikinglycdn.com/files/6d2cde66-066a-4e4e-834c-3be08bbdd852/kowudebukiwem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000126c4.bin
0530de072b37bedffe9d5c5f6d2cdf82a746d5af053e4cca0ee8f2bac552991e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126C4 5176 bytes
font_01_sfnt_off00013871.bin
742ae4ae8f75451cdb8062e3063def27d03c4d12a8581c87961cbaa1c1887c0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13871 12724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.