Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce0e42eead92d01d…

MALICIOUS

PDF

81.7 KB Created: 2021-05-05 00:02:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 459efce37a82002b6aa46cd911552e40 SHA-1: 28c26ae9feab276e899298aca78282b70d573108 SHA-256: ce0e42eead92d01d2a3b76e21669336d9536ac339e62cf195b82d0fcd0463315
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of an advance-fee scam. It contains a mass of external links, including a suspicious URL, likely intended to redirect users to phishing or malware sites. The document's structure and heuristic firings strongly suggest a social engineering attempt to defraud the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=logitech+harmony+700+universal+remote+control
    • http://timecodes.net/6218375009j4c8i.pdf
    • http://jobware.pro/92930482235mg8hi.pdf
    • http://tryraisins.club/tascam_uh-7000_usb_audio_interfacewyqsv.pdf
    • http://trackengine.host/74715310032f790b.pdf
    • http://natikolom.site/122618145964gc6g.pdf
    • http://mignonette.space/dead_by_daylight_steam_sizeojeeo.pdf
    • http://pedrons.space/49265178032php7v.pdf
    • http://kvyovk.xyz/ubiquiti_nanostation_m5_datasheet8qrd2.pdf
    • http://opencabinets.xyz/45725402977a0jbo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ef90beaa-bca2-431e-862c-49c19dd94618.filesusr.com/ugd/06497e_e2b6e53420da4cd49363b21c1997b81c.pdf?index=true
    • https://e02212b7-c8ec-4bf5-ba3e-d68a1de675e0.filesusr.com/ugd/7f1d73_41e971a0cbf0429a89a58af8848b03d4.pdf?index=true
    • https://s3.amazonaws.com/leteraxewe/73220765248.pdf
    • https://s3.amazonaws.com/ziwuvijevo/top_25_questions_and_answers_in_interviews.pdf
    • https://305aa2e3-e1d2-413d-aa2e-f1bb83d03ded.filesusr.com/ugd/92ee2b_a43cbc7f4bb746a686074f6717eb4252.pdf?index=true
    • https://a12a05ab-6462-4855-b086-b0a2a961d6d8.filesusr.com/ugd/2c76f4_12a16a2617124d55833e0ff8698bc4b7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a3ade2bd-c8eb-45cd-8f6f-c22155ac65ae/how_to_fix_brother_printer_ink_problem.pdf
    • https://s3.amazonaws.com/libowebujakux/get_song_on_apple_music.pdf
    • https://uploads.strikinglycdn.com/files/aeb01162-c711-4099-85aa-d0cd024faa7a/85868177085.pdf
    • https://178c1879-e916-404b-9861-a2431bd0f83a.filesusr.com/ugd/1aace6_70f7c35a3c0c47c7a2858aa402b590c2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0634048e-ceee-4b8e-999b-569bb1bba9ac/fipek.pdf
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_3734dd7df57345dc8f83e38e7d38d250.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdf7.bin
3be6e7787c39c0aa972e91a572dce8f2d8d105e0905ce5c92be59f7c1885b8de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDF7 5540 bytes
font_01_sfnt_off000110be.bin
75be06e6f5eb347ae4c9367bbef2cc0866074b8f8dca6cc331c4a88e695be252		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110BE 11724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.