Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f508073b99481e3…

MALICIOUS

PDF

99.6 KB Created: 2021-04-16 09:37:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0e4fa2f45160a8141dd5a80965464492 SHA-1: 1625e9678481019d0bf23f088f2ceac71ba1319b SHA-256: 8f508073b99481e39d37a57bc5b78a2fe2d652f098602d72e495d78a2f40fa7a
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document is classified as malicious and exhibits characteristics of an advance-fee scam, likely intended to trick users into clicking external links. The document contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious sites. The presence of ML_NYX_PDF_MALICIOUS and ClamAV detections further supports its malicious nature. The primary attack vector appears to be social engineering via a lure related to package delivery or prize claims, leading to potential exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=epson+wf+2530+change+ink+cartridges
    • https://bakovumosu.weebly.com/uploads/1/3/4/6/134679162/nupavosagoxe_suzisofuru.pdf
    • http://suvoramitasowiv.22web.org/interpreting_financial_statements.pdf
    • https://sumajodezidozi.weebly.com/uploads/1/3/3/9/133997227/wowaga.pdf
    • https://lugulake.weebly.com/uploads/1/3/4/7/134763312/zibapoxiramabes.pdf
    • https://gatixitawenubik.weebly.com/uploads/1/3/4/6/134643062/piduzunetofofa_viwemi_fasuto_nusojokumezaxix.pdf
    • https://fisudobu.weebly.com/uploads/1/3/0/8/130813554/vamifowixab_funumo_lorijexevowu.pdf
    • http://kakorezikudu.mypressonline.com/auto_associative_and_hetero_associative_memory_in_neural_network.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vuxagixil/neato_botvac_connected_battery_replacement.pdf
    • http://lawewil.atwebpages.com/adolfo_bioy_casares_biografia.pdf
    • https://b6de9e3f-c562-4e05-b5ee-70895c8060ae.filesusr.com/ugd/3801ff_00be06de42c642fb93b154e3f76e0a18.pdf?index=true
    • http://jadabizufugiba.rf.gd/fun_riddles_and_brain_teasers_with_answers.pdf
    • http://sidakofonol.epizy.com/battlegrounds_survivor_battle_royale_mod_apk.pdf
    • https://s3.amazonaws.com/tutasujal/detadibefapetapodamu.pdf
    • https://d78d2789-9aef-4bfd-88be-9093bec910ef.filesusr.com/ugd/87a178_605e1fc18f10471296d51657e13306be.pdf?index=true
    • http://nixevafuzija.epizy.com/gadalutadoliz.pdf
    • https://s3.amazonaws.com/biwubeleba/chopin_nocturne_piano_sheet_music.pdf
    • https://d128792e-e0a8-46e0-98ed-b941f5da69b2.filesusr.com/ugd/b98abb_62dd25ae711f44458d717ae1a7f687fd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6d68053-7613-4dec-870b-19911402cf94/48835509338.pdf
    • https://uploads.strikinglycdn.com/files/b18c3670-1d01-467e-a2ae-b7b3af93e634/nerarixosimejiro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001436c.bin
bb63a8ae869b68df2b7e983c4e39903225de6b0f4f0b1c2f4cc8912e5cee891f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1436C 6060 bytes
font_01_sfnt_off00015823.bin
c07efacdbb103c4fff056147594c3d5eda4f9088e6070a281e9cc42f2ad087e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15823 11664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.