Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb676cb989c58382…

MALICIOUS

PDF

113.2 KB Created: 2021-04-07 19:21:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d273e76d49eafa3a8b5e854f05a3184b SHA-1: 6256b564726f7790cebb21732c8c030decd0a3b9 SHA-256: bb676cb989c58382b7dc610fb0c3cae8184bdf20a122679b62b0015938605c52
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO poisoning and phishing. The 'SE_ADVANCE_FEE_SCAM_LURE' heuristic strongly suggests the document's content is designed to trick users into believing they are entitled to a prize or funds, requiring them to pay a fee or provide information. The presence of multiple PDF links and the ML classifier output further support a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=forsyte+saga+season+3+episode+guide
    • https://cdn.sqhk.co/wodelaganav/pg7O2gc/96632380630.pdf
    • https://cdn.sqhk.co/zativojor/gesjhij/latest_ringtones_2020_new_for_android_9.pdf
    • https://cdn.sqhk.co/nebafori/jj8hggg/72966339996.pdf
    • https://cdn.sqhk.co/jagojixego/RgfidKR/stick_run_2_beta.pdf
    • https://cdn.sqhk.co/kixarozikej/nDTUlVC/nupas_cadmatic_free.pdf
    • https://tudexabi.weebly.com/uploads/1/3/4/7/134770635/gajasupetikip_metoribowef_kalot.pdf
    • https://dilaxala.weebly.com/uploads/1/3/4/8/134865885/kepefulisovawekevo.pdf
    • https://cdn.sqhk.co/votezevon/jcJia0e/vofukiwasosup.pdf
    • https://xovobinawulum.weebly.com/uploads/1/3/4/8/134883327/e45687.pdf
    • https://tiwavejesuma.weebly.com/uploads/1/3/2/6/132681866/dikipozemobub-fakujizapaj-keromezojozeduv.pdf
    • https://cdn.sqhk.co/pilozarager/hj24lig/tanaduzapigeroxoxe.pdf
    • https://pedagojewixa.weebly.com/uploads/1/3/1/3/131398360/3239225.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b9d9f702-8690-4ff4-9587-1ca95909e8a0/41108978765.pdf
    • https://ea74ff18-003d-4094-8454-8d7e15e33abb.filesusr.com/ugd/50de67_4c1a0b8e808b4a5f9e7d5ae3053204c0.pdf?index=true
    • https://fd0ef26f-7b8f-4c91-b3b2-19f7ec93487a.filesusr.com/ugd/4174bf_5080933d0d5e474bb23a2712e38c19d0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2cfe09f9-6e7b-4d09-bf3f-804590db9f29/60272103832.pdf
    • https://471876dd-1950-42f1-a4b7-18bccbaeda70.filesusr.com/ugd/5d8976_f70acd2c226a418c9494a677559458aa.pdf?index=true
    • https://0f939073-77d1-4307-aaa8-42539c8515e3.filesusr.com/ugd/85c9df_4658427ee6b64a68a94035ebbe8e2aab.pdf?index=true
    • https://7031c68c-cf47-488c-b9bd-b344696616f5.filesusr.com/ugd/51e9e9_54bf99a0aab64b81a83c0993247f8cd7.pdf?index=true
    • https://8ca15cf9-c5bf-4329-906a-32df3c7b5ab7.filesusr.com/ugd/4ca7f5_dce9f40524ee48da8395300e21047428.pdf?index=true
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_4c612606dd5c4a36bc46d7a505f69d92.pdf?index=true
    • https://7a6021ad-ea99-40b3-bafb-6570e045b460.filesusr.com/ugd/527ec5_dde7bd81aab64f4b9a34a6ccfcc244c0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017ea0.bin
342193687560aa7fc7457627d58c943971d63976d0f0a1b82027c40af26cbe0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17EA0 5316 bytes
font_01_sfnt_off000190cf.bin
df033336d1ab4c4a18e99698ad12dbe177c7f90165d0ea53e86e67503dbac5f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x190CF 11404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.