Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ab52bfa63f523ed…

MALICIOUS

PDF

84.6 KB Created: 2021-05-21 08:58:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af6d6cd3eef46677cf38ea9eeec48df7 SHA-1: c7b4bdc500f3ea7fd21d2756286cbe02f9726a0e SHA-256: 3ab52bfa63f523edfaaa26c42077839c8e4181ff40659852008ef843097fad22
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a site offering "asphalt 6 mod apk download unlimited money". This, combined with heuristics indicating an advance-fee scam lure and a high ML classifier score, suggests the document is designed to trick users into downloading potentially malicious software or engaging in fraudulent schemes. The presence of embedded URLs and the overall structure point towards a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=asphalt+6+mod+apk+download+unlimited+money
    • https://cdn-cms.f-static.net/uploads/4388814/normal_602e7a8784ddc.pdf
    • https://cdn-cms.f-static.net/uploads/4420902/normal_601486b62690e.pdf
    • https://cdn-cms.f-static.net/uploads/4480743/normal_606009a5b6282.pdf
    • https://static.s123-cdn-static.com/uploads/4487662/normal_5fdce03abc1fc.pdf
    • https://regofixaf.weebly.com/uploads/1/3/5/3/135318676/7546658.pdf
    • https://static.s123-cdn-static.com/uploads/4413845/normal_5fcdacb4f1f85.pdf
    • https://zipixaxunisegon.weebly.com/uploads/1/3/4/6/134625234/gewanetibufimi.pdf
    • https://sojabejob.weebly.com/uploads/1/3/4/8/134890412/vuxiluligoje.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4e616c15-6d63-4150-a1c0-20eceb2bd151/libro_de_fisica_1_bachillerato_resuelto_2020.pdf
    • https://uploads.strikinglycdn.com/files/f8a8e30a-ba90-4a32-82b6-3e8971fcfdf7/how_the_grinch_stole_christmas_bersetzung_deutsch.pdf
    • https://uploads.strikinglycdn.com/files/9b680af6-dfc2-415d-8a53-9a2078be53af/e-myth_summary_free_download.pdf
    • https://uploads.strikinglycdn.com/files/8c37ece8-d5a8-4aa6-bfcd-2ff0b535b63f/where_do_i_find_tracking_number_on_fedex_receipt.pdf
    • https://uploads.strikinglycdn.com/files/7af15d7b-25a9-4118-b348-4dc18e0d1ada/snapper_mowers_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/a4a52d54-bf44-4a18-80e5-4a11863b1cdc/advanced_dd_rules.pdf
    • https://s3.amazonaws.com/mesotodimus/89737187683.pdf
    • https://s3.amazonaws.com/nafibanefexex/asymmetric_information_and_market_failure.pdf
    • https://s3.amazonaws.com/salosibejodod/zalegerazuxogolexakuf.pdf
    • https://uploads.strikinglycdn.com/files/68fced7c-3a94-4365-8d14-5b693807cb37/wahl_clipper_guard_no_12.pdf
    • https://s3.amazonaws.com/sixenogafopoj/57131591726.pdf
    • https://s3.amazonaws.com/zeworibuzoza/40896209293.pdf
    • https://uploads.strikinglycdn.com/files/e0ff22a8-b13c-457b-a63a-a8f1911bd07b/7609684401.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f271.bin
e6a0d0198032670c81f148120eede9752ebae0cad1cc4c5904aa6fc65b573720		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF271 5504 bytes
font_01_sfnt_off0001051c.bin
48f611e5eac9fdd5bb27bcd1e39e39e71daff82b170b6e63eaa89be92cf209ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1051C 11936 bytes
font_02_sfnt_off00012d39.bin
0875faeb2a44fad6ed737a09082368a8e20e166bc7d6f223910898fe36f5f854		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D39 16172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.