Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cdbd101c6adb528…

MALICIOUS

PDF

76.2 KB Created: 2021-04-03 08:06:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a31d3fa86143b5a075dc8f4bf760b396 SHA-1: dbdf21f4f2721bb11c4bf20343c533debb7ea2e8 SHA-256: 9cdbd101c6adb528679f5ab8e115d7fd96b63894b08f670b8fbf39a2532efae0
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of an advance-fee scam, presenting lures related to lotteries, prizes, and parcel deliveries. The presence of numerous external links, including one to 'golowaki.ru', suggests an attempt to redirect users to malicious sites or download further payloads. While no scripts were explicitly extracted, the ML classifier and ClamAV detection strongly indicate malicious intent, likely involving social engineering to defraud the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=dispute+credit+report+meaning
    • https://bodarisijusafu.weebly.com/uploads/1/3/5/3/135383154/9628567.pdf
    • https://teduruperalugo.weebly.com/uploads/1/3/4/3/134320262/6500893.pdf
    • https://fekugutupufug.weebly.com/uploads/1/3/4/8/134876907/wulemo.pdf
    • https://zazatunuwib.weebly.com/uploads/1/3/4/7/134729601/kivegufezewan.pdf
    • https://tatisosef.weebly.com/uploads/1/3/5/3/135333589/kixadidalilumubi.pdf
    • https://garujidizog.weebly.com/uploads/1/3/1/3/131398488/gebirisolumule.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_2d9f65da0d154ec2ac801f55010e7ea5.pdf?index=true
    • https://e22e8d81-f41f-4d51-abb1-39b19d2d32bb.filesusr.com/ugd/96bf9d_968d9f426aa34c35995a4232b444cd8a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/351e2d2f-aca5-4e10-b4fd-0d70850f71f7/76469050283.pdf
    • https://6205d428-d5dc-494e-bbc3-e2236f9d811e.filesusr.com/ugd/6885a6_13c576f185d7423489c528084b4711a2.pdf?index=true
    • https://6bfd3344-23d3-4e03-ab7d-00c1c23eecf6.filesusr.com/ugd/be19e1_220339c64aa0453984d3eef912f1295e.pdf?index=true
    • https://f110cc6a-49d6-427c-9ab6-a3a4d323b004.filesusr.com/ugd/9e53d4_ab582762ab124f468698c3c42b648079.pdf?index=true
    • https://s3.amazonaws.com/jipowumat/rte_admission_2019-_20_pune_form.pdf
    • https://s3.amazonaws.com/tizowodifi/birthday_celebration_images_free.pdf
    • https://s3.amazonaws.com/nefagolom/crystal_reports_case_statement_example.pdf
    • https://s3.amazonaws.com/sorapobuk/luvifuzegunowiwilif.pdf
    • https://uploads.strikinglycdn.com/files/a0171546-8588-451e-815c-a75a32866d72/dasedexobukonatekiw.pdf
    • https://uploads.strikinglycdn.com/files/fed1b55a-e2d1-4723-9d7c-846edb69d9a9/what_is_opposite_of_critical_thinking.pdf
    • https://s3.amazonaws.com/zizene/tablature_blue_bossa_guitarnick.pdf
    • https://s3.amazonaws.com/widuxade/microstrategy_interview_questions_and_answers.pdf
    • https://s3.amazonaws.com/dagasopones/49834288816.pdf
    • https://uploads.strikinglycdn.com/files/19b712e1-64c9-435e-8150-a896d5bec3fb/samsung_ativ_tab_3_bluetooth_keyboard_not_working.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece6.bin
0c0463b296a57473f9a3cd58e92ba16f4fce29ba2d010332a06468c000891451		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE6 5360 bytes
font_01_sfnt_off0000ff11.bin
decfe4ef9103944ecae02c83116762d7f5d15cac49a9c6b33de92436f77d69db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF11 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.