Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3fe7308d148cd9a…

MALICIOUS

PDF

79.5 KB Created: 2021-03-23 09:10:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c68738e1df257172d88398ee10857b73 SHA-1: d29312567f558fc4fe3d50d5712831154cc69f62 SHA-256: f3fe7308d148cd9a939f981975da97750649dd03c7cccbc134f7d4f8b872e47c
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a link farm and uses an advance-fee scam lure, suggesting it is designed to trick users into visiting malicious URLs. The presence of an external URI pointing to 'baarspo.ru' further supports this, as it is likely a phishing or malware distribution domain. No scripts were extracted, but the overall structure and heuristics point to a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=autocad+jobs+salary+in+uae
    • https://static.s123-cdn-static.com/uploads/4490121/normal_6002ad40b92be.pdf
    • https://cdn.sqhk.co/vegedusovo/haAcibZ/online_compiler_c_tutorialspoint.pdf
    • https://cdn.sqhk.co/toxodimina/mPjchhV/toratopidazuvofapag.pdf
    • https://bepagiji.weebly.com/uploads/1/3/4/3/134352373/2268031.pdf
    • https://bumewotosebixab.weebly.com/uploads/1/3/5/2/135298585/desizewewan.pdf
    • https://simokenuma.weebly.com/uploads/1/3/5/3/135311421/bixatozinu.pdf
    • https://static.s123-cdn-static.com/uploads/4471256/normal_600146acb1cf6.pdf
    • https://tojumemi.weebly.com/uploads/1/3/1/3/131379390/4737127.pdf
    • https://puxasuzad.weebly.com/uploads/1/3/4/3/134352875/xetato.pdf
    • https://cdn.sqhk.co/fujigugi/hfgfhdT/pinunorabak.pdf
    • https://cdn.sqhk.co/rikopekela/jeNjdjg/nba_g_league_coach_salary.pdf
    • https://cdn-cms.f-static.net/uploads/4495393/normal_600f64c0ce104.pdf
    • https://static.s123-cdn-static.com/uploads/4413714/normal_5fcb06047cee4.pdf
    • http://bokubewere.22web.org/13554109717.pdf
    • https://ratisajaruniz.weebly.com/uploads/1/3/1/4/131455275/munegu.pdf
    • https://kixofugowewo.weebly.com/uploads/1/3/1/8/131872146/raresizikemep.pdf
    • https://cdn-cms.f-static.net/uploads/4366351/normal_6041ea5832d75.pdf
    • https://cdn.sqhk.co/gizivapejoko/Hiayji2/29957863202.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nugafafekovad.epizy.com/the_burnout_society_byung_chul_han.pdf
    • http://bezepegu.epizy.com/w-_4_personal_allowances_worksheet_2019.pdf
    • http://sonopuzogex.rf.gd/stannah_stairlift_model_600.pdf
    • http://fobifuv.epizy.com/checkpoint_firewall_software.pdf
    • http://fipaduwa.epizy.com/a_single_man_movie_quotes.pdf
    • http://pewinipuwuva.rf.gd/72880014760.pdf
    • http://jamowekovexure.epizy.com/27574039089.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f88d.bin
1e374be4505c5ead21a7fa5d2a9b6f37092b29a7b93a2ca20df1d2e27e2d6b01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF88D 5240 bytes
font_01_sfnt_off00010a75.bin
1b32eaeba96cf1fb57effe30e66ef09cecd0adc73abe7c8107e161b8fee4e93f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A75 11208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.