Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce340abd6dec7753…

MALICIOUS

PDF

64.3 KB Created: 2021-02-22 18:08:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 68c4304fcb3111bbe80398293cd51cf8 SHA-1: f144c540fd93a1bdd4efd5904b9523d6c8829e98 SHA-256: ce340abd6dec77535ec69ff4a2a901357769a0432715bfce024e0309d72b923b
146 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The document body and embedded URLs suggest a lure related to product searches, specifically mentioning 'kwc wr30m watch price in pakistan', directing users to potentially malicious domains. The heuristic 'SE_CALLBACK_LURE' further suggests a callback phishing or tech-support scam pattern, aiming to trick users into calling a fraudulent number or visiting a malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/123?utm_term=kwc+wr30m+watch+price+in+pakistan PDF link annotation
    • http://liketime.fun/action_games_for_android_2._3._6qh3de.pdfIn PDF document text
    • http://tugezij.22web.org/camino_del_norte_etappen.pdfIn PDF document text
    • http://help-feedback-amzn8.xyz/onn_universal_remote_codes_for_insignia_tv4iqkw.pdfIn PDF document text
    • http://form-lnstagramcopyrightservice.com/rowuvezomefafodejivut0txc0.pdfIn PDF document text
    • http://menbp.online/ctv_news_montreal_reportersyv1eo.pdfIn PDF document text
    • http://e-devletturkiyeaidatsistemimgovtr.com/63651291827ny6xq.pdfIn PDF document text
    • http://madewithsunshine.com/gesisiwt45zs.pdfIn PDF document text
    • https://wevikafajaxa.weebly.com/uploads/1/3/1/1/131164556/sabuzove.pdfIn PDF document text
    • http://tihefers.online/39093436064j0slp.pdfIn PDF document text
    • https://zeruxitewisav.weebly.com/uploads/1/3/1/8/131856065/293616.pdfIn PDF document text
    • https://tesutubesonazi.weebly.com/uploads/1/3/4/6/134682982/a72fee3525f368c.pdfIn PDF document text
    • http://xubozogafajus.22web.org/17916522260.pdfIn PDF document text
    • http://rrrrkkkkk.space/vozosenakamokozimiu28i4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/dudujopixejikug/8954211605.pdfIn PDF document text
    • http://nupawibufa.epizy.com/nespresso_aeroccino_4_milk_frother_how_to_use.pdfIn PDF document text
    • https://s3.amazonaws.com/makumapikeze/41912886800.pdfIn PDF document text
    • http://kixixiwibatogit.epizy.com/alberta_blue_cross_health_spending_account_form.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBD73 5572 bytes
SHA-256: 20bb63d435b5a83df76da1e0573304fcaa075548543b2b1f438486687be5f59f
font_01_sfnt_off0000d04a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD04A 10572 bytes
SHA-256: 72fe289756b9b046470b6a24278d49f1db6ef8e211b113273aa3e0dcfe46356a