Malicious PDF — malware analysis report

Static analysis result for SHA-256 92f40199793e5b6d…

MALICIOUS

PDF

105.0 KB Created: 2021-05-26 06:15:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 767e46a840850164ef0f439deada3712 SHA-1: bdceca77d73e0c36311aac2f45c156d5fde90764 SHA-256: 92f40199793e5b6daaf0043f4fc765d5db3a34cf9113458cbf84ffb251301a97
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of external links, many of which are SEO-optimized and point to benign-looking documents, suggesting a link farm designed to boost search rankings. One of the primary links, however, leads to a domain associated with phishing and advance-fee scams. The document body, though heavily obfuscated, contains keywords related to parcel delivery and financial transactions, reinforcing the scam lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=does+walgreens+carry+sewing+needles
    • https://cdn-cms.f-static.net/uploads/4418175/normal_606293c5607df.pdf
    • https://zusiwugebibod.weebly.com/uploads/1/3/4/4/134484471/nularap_bozujete.pdf
    • https://static.s123-cdn-static.com/uploads/4406775/normal_5fcf60ce2b9ae.pdf
    • https://boretenewur.weebly.com/uploads/1/3/1/4/131453221/d905b5dbbced.pdf
    • https://tutamedu.weebly.com/uploads/1/3/1/8/131856186/wapawuxixelurebemis.pdf
    • https://kajuzenutojaso.weebly.com/uploads/1/3/4/6/134631714/4687d42638.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/29092d90-9c53-4ab5-a756-d2889412e927/navy_brag_sheet_template_for_evals.pdf
    • https://uploads.strikinglycdn.com/files/e604280d-b00e-4492-bc2e-f180c918f027/are_movado_watches_worth_the_money.pdf
    • https://uploads.strikinglycdn.com/files/7851b6cd-b5ae-4010-b89c-1c471be1c5fb/80212747496.pdf
    • https://uploads.strikinglycdn.com/files/9decde53-a316-4cb0-810b-e348530619db/95072401383.pdf
    • https://uploads.strikinglycdn.com/files/53833c1c-0e31-4dc9-9585-4d237fad8626/fumumuwufanonune.pdf
    • https://uploads.strikinglycdn.com/files/7c42fb6f-9782-41a4-a09a-02ca4c62d70c/watch_old_tagalog_movies_online_free.pdf
    • https://uploads.strikinglycdn.com/files/0d29bca7-aea2-42fe-871a-85e2ff232fdc/real_book_index_by_composer.pdf
    • https://uploads.strikinglycdn.com/files/4675f25d-b5bf-4809-b8e5-a97cb188b390/35513894642.pdf
    • https://uploads.strikinglycdn.com/files/94812542-fffc-4d03-946f-abecded1455e/94234846885.pdf
    • https://uploads.strikinglycdn.com/files/c9dd1e16-2af6-4288-8439-1a6db6ccbb49/33398403848.pdf
    • https://uploads.strikinglycdn.com/files/78647c93-0329-45a5-8f8d-4379126af5ce/graphic_design_portfolio_inspiration.pdf
    • https://uploads.strikinglycdn.com/files/1ff44f9a-6e72-4889-a474-43460c0d6504/diagrama_de_fusibles_jetta_a4_2005_en_espaol.pdf
    • https://uploads.strikinglycdn.com/files/5a333666-80e5-4c5e-bfdd-e9e467e01a26/how_do_i_make_an_acer_recovery_disk.pdf
    • https://uploads.strikinglycdn.com/files/f408d629-9d11-4cde-b389-2e4ee3008033/burning_wheel_codex_review.pdf
    • https://uploads.strikinglycdn.com/files/c739a5e0-142d-4dbd-b61f-c2eeaeaee6d9/spider_man_3_full_movie_in_hindi_youtube.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015bce.bin
5bfc409fce33f64203682624aa05a69655317e3f66c4f46c3089e255450aee89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15BCE 5300 bytes
font_01_sfnt_off00016e00.bin
7efb807fa88823e2676417b9a771478a67ed6af748bb3eb1ec3a7151df1bc2ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16E00 11664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.