Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec3c115549679553…

MALICIOUS

PDF

79.4 KB Created: 2021-03-18 00:04:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9036adca1a4bc6b2db0aea8e9255a411 SHA-1: 89364e8613fd1a7cefb7d1b4bc8295b046763b9f SHA-256: ec3c115549679553fcc438f7ccb59af8a3b455d06da7deb621a2816b0f97e7f6
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains heuristics indicating it is a link farm and a phishing lure, with a high ML classification score and ClamAV detection. The embedded URL points to a domain associated with SEO link farming, suggesting a malicious intent to redirect users. While no scripts were explicitly extracted, the PDF structure and heuristics strongly suggest it's designed to exploit vulnerabilities or trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=method+of+payment+in+international+trade+pdf
    • https://wagimudo.weebly.com/uploads/1/3/4/4/134475497/505eefe3c04f2.pdf
    • https://static.s123-cdn-static.com/uploads/4501201/normal_60036578bee98.pdf
    • https://dukilukisa.weebly.com/uploads/1/3/1/0/131070258/gukufevapena-rifulobewu-wodixo-vapajo.pdf
    • https://static.s123-cdn-static.com/uploads/4415742/normal_5ff54a588d967.pdf
    • https://cdn-cms.f-static.net/uploads/4378164/normal_603c670573991.pdf
    • https://cdn-cms.f-static.net/uploads/4407331/normal_6045f1ff54758.pdf
    • https://tamoniwezetiro.weebly.com/uploads/1/3/5/9/135961995/2084076.pdf
    • https://cdn-cms.f-static.net/uploads/4366324/normal_6016c3ef07cc9.pdf
    • https://static.s123-cdn-static.com/uploads/4446162/normal_600833ead008c.pdf
    • https://cdn-cms.f-static.net/uploads/4471512/normal_6022bc3c821e9.pdf
    • https://static.s123-cdn-static.com/uploads/4488116/normal_5fc9ef18f39a6.pdf
    • https://cdn-cms.f-static.net/uploads/4424010/normal_600d5c527b58e.pdf
    • https://cdn-cms.f-static.net/uploads/4460725/normal_5fd63f1fe3d0d.pdf
    • https://static.s123-cdn-static.com/uploads/4498842/normal_5ff42842aab52.pdf
    • https://cdn-cms.f-static.net/uploads/4380527/normal_5fe857c0c8446.pdf
    • https://cdn-cms.f-static.net/uploads/4422640/normal_601c648e5a665.pdf
    • https://rowagikej.weebly.com/uploads/1/3/4/6/134678960/vidutagejawa.pdf
    • https://cdn-cms.f-static.net/uploads/4495402/normal_60300d52e945c.pdf
    • https://cdn-cms.f-static.net/uploads/4365606/normal_601fee8f73b05.pdf
    • https://cdn-cms.f-static.net/uploads/4420244/normal_6049a9f5ad426.pdf
    • https://static.s123-cdn-static.com/uploads/4377935/normal_5ffe8462ea922.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e6c529cc-411f-4195-b5ea-7b5fd081490a.filesusr.com/ugd/b7ab08_cc224b8b25324b1a949f72422ecbc46d.pdf?index=true
    • https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_ebcbcbda5d474189bfc6a6725530defd.pdf?index=true
    • https://69b3109a-7cce-4514-9193-d2106d9976ab.filesusr.com/ugd/3c2969_46b4ad2aaf114966870ea7ea5f40f759.pdf?index=true
    • https://d4996ccb-aecf-47c4-aab6-3c4fe022e1b7.filesusr.com/ugd/b7ed05_1f461e248cf540b7a22141be2afdb508.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f69d.bin
b8551bb9e444eac3ec22dc38021533a35808e9450c810933ad257ebe4bcc4e81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF69D 5208 bytes
font_01_sfnt_off0001083e.bin
291b58d853fc1a0b66fafe3ac67dc749791dcd4703d3c0ed98527da94fb547f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1083E 11060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.