Malicious PDF — malware analysis report

Static analysis result for SHA-256 800abccc6135c155…

MALICIOUS

PDF

75.7 KB Created: 2021-05-14 19:32:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 35a368f9b677651fdefd1a44e2a55bc3 SHA-1: e65fc0310ebeafe42c26926196eaa9a205c4ac09 SHA-256: 800abccc6135c155e3767f0707920bbda10b7f4e1985f077c69f2b27cd1df797
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application T1059.007 JavaScript

This PDF document exhibits characteristics of an advance-fee scam, presenting a lure related to lottery winnings or parcel delivery. The presence of numerous external links, including one to 'soxebez.ru', suggests an attempt to redirect the user to malicious content or phishing sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely involving the exploitation of PDF vulnerabilities to deliver a payload or redirect to a scam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=can+you+air+fry+in+the+breville+smart+oven+pro
    • https://cdn-cms.f-static.net/uploads/4375095/normal_6052e3eb2aea2.pdf
    • http://ranking-se.com/11746270524fa06f.pdf
    • https://static.s123-cdn-static.com/uploads/4408721/normal_5fef66cdae7db.pdf
    • http://reawolt.online/padojaxadotes0tyk.pdf
    • https://vajibenutiw.weebly.com/uploads/1/3/4/4/134487234/fatulowanezagafevij.pdf
    • https://peramixirado.weebly.com/uploads/1/3/1/6/131637131/13a79f28d9f9d.pdf
    • http://jenerotisa.mywebcommunity.org/post_analytic_philosophy.pdf
    • https://donadoleli.weebly.com/uploads/1/3/4/5/134519335/155d7aae8f0999f.pdf
    • https://purusoze.weebly.com/uploads/1/3/4/4/134495244/4951620.pdf
    • https://static.s123-cdn-static.com/uploads/4417222/normal_5ff9ada4aed12.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wujodibu/chromebook_3120_android_apps.pdf
    • https://uploads.strikinglycdn.com/files/2a9f049e-9c10-432f-bc85-645419e7eb19/vosibisepifurijipanuxez.pdf
    • https://uploads.strikinglycdn.com/files/ae1f7b6d-52a4-42cc-875a-ca1d6eb9aeb3/fatigue_icd_9_cm_codes_list.pdf
    • https://s3.amazonaws.com/wokesabisevo/what_is_classic_style_in_interior_design.pdf
    • https://uploads.strikinglycdn.com/files/03c9930a-e0c4-4474-bd2a-fd785d8d9f80/tabla_de_aniones_cationes_y_radicales.pdf
    • https://uploads.strikinglycdn.com/files/4d1a905a-dbf1-47e7-8264-ef5b4bac8489/8583717178.pdf
    • https://uploads.strikinglycdn.com/files/2f82e76e-1eeb-41fe-9e5b-3067bca80113/conversion_de_pulgadas_cuadradas_a_metros_cuadrados.pdf
    • http://bavotuvezomevi.myartsonline.com/81326303049.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea7e.bin
30ee0164eb409ec187a1e0f7c778baf53f733d0d80119611866be14c3195582d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA7E 5348 bytes
font_01_sfnt_off0000fc8c.bin
14ba8f06864532ed7eb03bb22f7f752510a3fc75929765388a622834085114e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC8C 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.