Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdb00d63314639ea…

MALICIOUS

PDF

95.7 KB Created: 2021-05-03 16:26:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b823e9decd1288e12ab843f7878e5a1 SHA-1: d0444cf51419a24fc7f37cd8813f937b2e44dbe6 SHA-256: cdb00d63314639ea38db47c645783aac9fc72eb539efd382ff1878b665719cd4
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, indicative of a link farm designed to host malicious content or phishing pages. Heuristics suggest it's a lure for an advance-fee scam or phishing attempt, potentially disguised as an invoice or delivery notification. While no scripts were explicitly extracted, the PDF structure and link farm behavior strongly suggest malicious intent, likely involving JavaScript execution for further payload delivery or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=should+congress+have+passed+the+affordable+care+act
    • http://palopepidek.mypressonline.com/fusionner_un_document.pdf
    • https://fukaxoxatu.weebly.com/uploads/1/3/1/4/131438517/56261f0b32ddd.pdf
    • http://tixesikixux.mygamesonline.org/los_mejores_amplificadores_de_audio_para_casa.pdf
    • http://kexedeziferu.sportsontheweb.net/53119203337.pdf
    • https://kisofufenuvojuw.weebly.com/uploads/1/3/4/6/134628350/wukap-dagawu-rijujemukufojut-wedolotuvesijov.pdf
    • http://nomokesus.sportsontheweb.net/30161954601.pdf
    • http://gejulavofanutar.mygamesonline.org/73650918429.pdf
    • https://zinenefubodejig.weebly.com/uploads/1/3/4/3/134338026/7ba91558.pdf
    • http://zekojotewakugag.mypressonline.com/12236771668.pdf
    • https://cdn.sqhk.co/derepinejabi/4hiD8ux/pulakelasotifaliper.pdf
    • https://sufixekanol.weebly.com/uploads/1/3/4/7/134712322/joguwas.pdf
    • http://niburufajanuto.sportsontheweb.net/mevogadu.pdf
    • https://cdn.sqhk.co/xafeperale/jMjewhd/miwinuzekikove.pdf
    • https://cdn.sqhk.co/disonixures/8jDhdIn/video_share_chat_malayalam.pdf
    • https://minufagotokuwak.weebly.com/uploads/1/3/4/4/134489045/7104099.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tudawufed/bariloche_turismo_informacion.pdf
    • https://s3.amazonaws.com/jeponowon/65096258511.pdf
    • https://s3.amazonaws.com/rujimidujek/fivifom.pdf
    • https://s3.amazonaws.com/kabisebax/aquatic_animals_list.pdf
    • https://s3.amazonaws.com/desekusoxi/oral_b_pro_5000_battery_replacement.pdf
    • https://s3.amazonaws.com/lemerisinivum/chiari_malformation_type_3_symptoms.pdf
    • https://s3.amazonaws.com/bawalidamovidud/wazagutawemib.pdf
    • http://sulenovigadi.myartsonline.com/body_learning_alexander_technique.pdf
    • https://s3.amazonaws.com/sajatofubote/48376144427.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000136ab.bin
777db0b8bfba9798c6c55ec8c2bab78aec9c537ba16ef0b6f5e3f73a5be2e013		 pdf-font-stream PDF embedded font (sfnt) at offset 0x136AB 5720 bytes
font_01_sfnt_off00014a22.bin
528056196c1fc1bfb93eb416cbf43f7b67ba917757e46bcbd91b493c0178c908		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A22 11424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.