Malicious PDF — malware analysis report

Static analysis result for SHA-256 05132d68b16dc7c8…

MALICIOUS

PDF

418.2 KB Created: 2021-03-15 21:56:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79ad58403a5c1fe2c098bce8a4b9211a SHA-1: 105885593cdc5af0d07b69370668f348b5fab652 SHA-256: 05132d68b16dc7c8f7bb7d39f252d4d419fc37635a2e5f640ca8fd80751fd4b1
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, exhibiting characteristics of an advance-fee scam and callback phishing lures. The presence of an external URI pointing to 'golowaki.ru' suggests an attempt to redirect the user to a malicious site. While no scripts were explicitly extracted, the PDF structure and heuristic firings strongly indicate a phishing or scam attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9683

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=debbi+peterson+instagram
    • https://static.s123-cdn-static.com/uploads/4409606/normal_5fcda3fa85e69.pdf
    • http://hugertely.xyz/how_to_apply_gentle_leader_collarbiohn.pdf
    • https://cdn-cms.f-static.net/uploads/4487187/normal_6023de37b29d5.pdf
    • https://static.s123-cdn-static.com/uploads/4391642/normal_600582535c33b.pdf
    • http://bomufofo.iblogger.org/ca_certificate_from_website_chrome.pdf
    • https://cdn-cms.f-static.net/uploads/4461746/normal_5fd662a046acf.pdf
    • http://rejawulomov.mywebcommunity.org/food_safety_certifications_llc.pdf
    • https://static.s123-cdn-static.com/uploads/4475383/normal_5ffb0895ab64b.pdf
    • http://cheapkeys.site/kitchenaid_mixer_repair_center_near_me3zjt1.pdf
    • http://kungfumalibu.com/ielts_speaking_vocabulary_phrasesv4ciu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nadoxomamepaf.epizy.com/web_designing_software_list.pdf
    • https://uploads.strikinglycdn.com/files/7a6e8ff5-630b-4edd-b209-176231a99be7/casio_ga_100-1a1dr.pdf
    • http://penobugixova.atwebpages.com/is_there_a_samsung_smart_tv_remote_app.pdf
    • http://nixomirorubu.myartsonline.com/26274914632.pdf
    • http://fanurumuge.epizy.com/purpose_driven_life_small_group_study_guide.pdf
    • http://legumanob.rf.gd/jutivizipibalep.pdf
    • https://s3.amazonaws.com/xarojapi/norse_mythology_book_amazon.pdf
    • http://tasifomarefid.rf.gd/golds_gym_treadmill.pdf
    • https://s3.amazonaws.com/gadumagabusodel/xapimupat.pdf
    • https://uploads.strikinglycdn.com/files/0d53ddbc-55a7-4320-9865-0d37ddf7475f/wrath_of_the_righteous_classes.pdf
    • https://uploads.strikinglycdn.com/files/9ff2bbb0-71ec-4b84-bf66-5a8b3e22ddb0/62056010659.pdf
    • https://uploads.strikinglycdn.com/files/5b435864-737f-4276-88d5-10ea20a737a5/how_long_can_a_deer_live_without_food_and_water.pdf
    • https://uploads.strikinglycdn.com/files/3428693a-bebd-4515-8725-f444f3ed35cc/uncovering_student_ideas_in_primary_science.pdf
    • https://s3.amazonaws.com/xovekolamoxe/common_proper_nouns_worksheet_4th_grade.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00063a49.bin
2f9abddfc84c20f842248d1cdb5f1acf045c3785237487a0008ddbb2cb98e16a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63A49 5244 bytes
font_01_sfnt_off00064c0f.bin
10f29d3fb687eba0fc5c096417ea51692647207215d132dd44d58a4926198e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64C0F 13540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.