Malicious PDF — malware analysis report

Static analysis result for SHA-256 4359117227a8d5a4…

MALICIOUS

PDF

97.5 KB Created: 2021-03-15 13:03:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e1b957be8793f41dfc9f3dc561866261 SHA-1: 2afcf08952246a63fa1a5c577b4b78b4dcb60228 SHA-256: 4359117227a8d5a46b69feb89ba2ca8993d69fedbaa941ee6081b9dde83f4a0e
206 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution T1071.001 Web Protocols

This PDF is classified as malicious by ML models and ClamAV, and exhibits characteristics of an advance-fee scam. It contains multiple suspicious links, including an invisible link to 'http://managerprogram.live/best_murder_mystery_box_setsvdsr5.pdf', which is likely intended to lead the user to a fraudulent document. The document body, though heavily obfuscated, appears to be a lure related to a risk assessment report.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/123?utm_term=sample+rmf+risk+assessment+report
    • http://komaxinatobofe.medianewsonline.com/which_period_is_considered_as_second_stage_of_industrial_revolution.pdf
    • http://sekujirimabasas.getenjoyment.net/pekuzekamegorosizumej.pdf
    • http://momentikshop.space/where_does_the_word_math_originate_fromx2izb.pdf
    • http://zapazereti.22web.org/928019989.pdf
    • http://1xbet-sportstavki.fun/the_essentials_of_computer_organization_and_architecture_5th_edition_freekcl8u.pdf
    • http://managerprogram.live/best_murder_mystery_box_setsvdsr5.pdf
    • http://mosebuzixat.mywebcommunity.org/defene.pdf
    • http://neviresutuv.iblogger.org/jivadivegote.pdf
    • http://daating19.site/how_long_do_you_cook_turkey_burgers_on_george_foreman_grillkv9gn.pdf
    • http://wufamega.scienceontheweb.net/pigujaza.pdf
    • http://mutujejeturuduf.medianewsonline.com/supodetubokolere.pdf
    • http://supusatode.sportsontheweb.net/13471963697.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tanonarimunal.myartsonline.com/sql_server_2020_stored_procedures_tutorial.pdf
    • https://uploads.strikinglycdn.com/files/91317b84-d0d9-4455-bde4-2ca6fc156c87/diet_evolution_reviews.pdf
    • http://dutugege.epizy.com/zojoxakulikomanefirese.pdf
    • https://uploads.strikinglycdn.com/files/5f50bc11-0f36-434a-bf3f-001349544007/70473123093.pdf
    • http://jowawaba.atwebpages.com/negatevapixoletopo.pdf
    • http://zepizevut.atwebpages.com/xovalaxaruzigebuxo.pdf
    • https://uploads.strikinglycdn.com/files/1807c1e4-9195-41b3-8fb8-60c5fc06e575/how_to_interpret_dreams_and_visions_perry_stone.pdf
    • http://javuxanasojajex.epizy.com/58209453956.pdf
    • https://uploads.strikinglycdn.com/files/78c157a6-c47b-488d-aeb3-a515714a1705/sizejivagemel.pdf
    • https://uploads.strikinglycdn.com/files/270906bc-d307-4481-be0f-ab1d32797644/what_is_the_relative_location_of_tokyo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000140fb.bin
c6456d1bc7ae03fe98697b4d20fe43c8d4f3d95981f1fbf385786b14c4acc8ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140FB 5216 bytes
font_01_sfnt_off0001529f.bin
680d5010b8409740e5d7c87bdbdd6bba881d84839677b122f196ee4583a3a06e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1529F 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.