Malicious PDF — malware analysis report

Static analysis result for SHA-256 30994d34b5e7bea5…

MALICIOUS

PDF

113.7 KB Created: 2021-06-03 19:29:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d43c2785747fe0987aecbc248dcc926f SHA-1: 78fe912d919624cf3957bc80166f57c1a8803953 SHA-256: 30994d34b5e7bea585623d26e111dccc079e14af3b0c52570174dece9dfd1fdc
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are hosted on file-sharing or blogging platforms, suggesting a link farm or distribution point for malicious content. The document body, though heavily obfuscated, contains keywords related to debt collection and urgency, aligning with phishing lures. The presence of multiple PDF URI heuristics and a critical ML classifier score strongly indicate malicious intent, likely to redirect users to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 8

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=asic+debt+collection+guidelines+2016
    • https://vevorusafe.weebly.com/uploads/1/3/4/5/134516648/pozazarake-wefuponodina-zitamosezebegas.pdf
    • https://gigexozokup.weebly.com/uploads/1/3/2/6/132695408/zutegifa.pdf
    • https://cdn-cms.f-static.net/uploads/4450415/normal_603ab7d4bdec9.pdf
    • https://cdn-cms.f-static.net/uploads/4401515/normal_604032dea83d9.pdf
    • https://static.s123-cdn-static.com/uploads/4494674/normal_5feeef1f49cd3.pdf
    • https://cdn-cms.f-static.net/uploads/4448720/normal_602bda6daab6c.pdf
    • https://lezojefob.weebly.com/uploads/1/3/5/3/135319065/vewitajipufufi.pdf
    • https://cdn-cms.f-static.net/uploads/4491686/normal_6015e95e5acfd.pdf
    • https://cdn-cms.f-static.net/uploads/4447434/normal_60163a164c114.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pebenuziwi.pbworks.com/f/51097763411.pdf
    • https://uploads.strikinglycdn.com/files/9aa43d7b-5888-4cbd-ac44-b066b91d4e5e/sebilolaruwurodix.pdf
    • http://sepaxebi.pbworks.com/w/file/fetch/144413331/40754728724.pdf
    • https://uploads.strikinglycdn.com/files/e03a452a-313e-4c3b-8cd7-429b76684dce/fokubosepivexexa.pdf
    • https://uploads.strikinglycdn.com/files/16bb78e5-a84c-4b50-926d-cc8e9721ddc5/cant_argue_with_that_nyt_crossword.pdf
    • http://sepaxebi.pbworks.com/f/812184178.pdf
    • https://uploads.strikinglycdn.com/files/002da7f2-962b-4279-9181-49236521627b/wipisipur.pdf
    • http://pokatufaxi.pbworks.com/w/file/fetch/144419277/4783749431.pdf
    • https://uploads.strikinglycdn.com/files/d77e7f02-c123-4c52-a505-a71e55403249/81475898797.pdf
    • https://uploads.strikinglycdn.com/files/7b51b834-4097-45a7-bb8a-9c8b99c4fb09/how_do_you_use_assessment_data_to_inform_instruction.pdf
    • https://uploads.strikinglycdn.com/files/34eab4b2-ea5c-4e01-8bad-7f3329360727/25686077572.pdf
    • https://uploads.strikinglycdn.com/files/cf300dc0-acd1-48ed-8f9a-fb6e48604452/wipovivubivi.pdf
    • https://uploads.strikinglycdn.com/files/51862909-897d-4949-aa39-e04b7f8e47fe/kajebilubizifepanisabu.pdf
    • http://garewewaziwu.pbworks.com/w/file/fetch/144541509/what_is_prius_triangle_warning_light.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018137.bin
18e3a36a977e1e426acc01006d2ba3792f8e28787e25e10db0ff5552a641b8ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18137 5412 bytes
font_01_sfnt_off000193bb.bin
83170e0db12f06702916fc950560995d939da4c01f22d7d561a93c2743270f0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x193BB 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.