Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c2d689ec898a125…

MALICIOUS

PDF

94.1 KB Created: 2021-03-22 22:22:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6200967094fe197d71e62dd28468ad22 SHA-1: 7edac4ab8d236ad550bebacf01564e0a440ba201 SHA-256: 9c2d689ec898a125eb9b35ec81d693f52fd485083b3d1ba9cc9215e985d71428
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's purpose is to trick users into a fraudulent scheme involving fake prizes or parcels. The presence of embedded URLs and the ML classifier's high score further support a malicious intent, likely related to phishing or scamming.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=anatomy+for+sculptors+understanding+the+human+figure+pdf+free+download
    • https://cdn-cms.f-static.net/uploads/4412158/normal_5fd86b7ab146f.pdf
    • https://cdn-cms.f-static.net/uploads/4412588/normal_60442f2e7a9f9.pdf
    • https://cdn-cms.f-static.net/uploads/4404123/normal_603a69834e3db.pdf
    • http://goromeo.club/75749954755d9smg.pdf
    • https://cdn-cms.f-static.net/uploads/4413845/normal_604f5a7a846c3.pdf
    • https://cdn-cms.f-static.net/uploads/4483071/normal_5fd880c187f75.pdf
    • http://uaportal.site/tikipemorupotifokilivizfy8u2.pdf
    • https://cdn-cms.f-static.net/uploads/4390323/normal_603594ecd3c62.pdf
    • https://cdn-cms.f-static.net/uploads/4446388/normal_5fd1e4a472f55.pdf
    • http://balifruit.com/what_order_do_the_weights_in_a_grandfather_clock_goq78m8.pdf
    • http://menformula.xyz/dowovozokerafaxogarusaw7r1v.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/33963dca-5616-4304-bd54-8867a763bbad/images_of_organization_charts.pdf
    • https://uploads.strikinglycdn.com/files/c837e58f-b1a7-4d02-9f1f-17fecb16bba4/what_is_canon_in_literature.pdf
    • https://f38be386-5799-403b-9303-fb121113655a.filesusr.com/ugd/6f1aa7_04339be5f0e64faba75bbf6b825fb9f5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/64a4fddc-9dc8-4097-9de7-664edf350a81/microsoft_wireless_mobile_mouse_4000_not_connecting.pdf
    • https://uploads.strikinglycdn.com/files/418b4997-d29c-45a3-9d7c-9d98bfe22989/mebutopiza.pdf
    • https://e668d0bc-6b9c-4787-ac64-5363b724ef62.filesusr.com/ugd/6ec699_79a9ac7e0df4496cad98f910213bdb1a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ec114fc1-2f7d-4090-8c5c-a66ffee529e8/20272073101.pdf
    • https://uploads.strikinglycdn.com/files/3eddc5dc-e744-4bfd-9ffd-9096d2fbc456/pajonovazijixizoletuj.pdf
    • https://uploads.strikinglycdn.com/files/01260420-e327-4577-ba02-3df8047447a0/resiwasu.pdf
    • https://uploads.strikinglycdn.com/files/3e5fcb38-f308-48ce-86e9-3285065efe40/mevivesajeru.pdf
    • https://a29d81ee-e589-4368-99bd-4e0be04eb4c0.filesusr.com/ugd/a89e6e_8042e43553f44232b8019d0b254bc8c3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/854ee55c-ef5b-47fc-9824-28fe6eaf6fe8/bigger_leaner_stronger_calculator.pdf
    • https://a24bc4ef-4ee2-4fae-af0c-c9fea810b245.filesusr.com/ugd/67d96c_63a2821769004d0cbc280c0c2814941c.pdf?index=true
    • https://84d655c4-d84a-4a0c-9c32-0387925bd622.filesusr.com/ugd/6233da_c29f0e5ec23d438b94ea2e223ff27e52.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5aa27d4a-3b24-4887-90f6-c1ea8286f6d7/tuxuzevavuwijudasu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012d46.bin
e1936c8092372694910b5285f30fb259fc728cdff76e20afe799d0f3d57b826a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D46 5752 bytes
font_01_sfnt_off000140cc.bin
f7679998f1501f6326ddc802e1c60197e81360baefc608de989f2224b6c70704		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140CC 12320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.