Malicious PDF — malware analysis report

Static analysis result for SHA-256 14907c9523d8acd8…

MALICIOUS

PDF

648.7 KB Created: 2021-04-07 04:15:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90ba75672d4e07c13a520dbfd4b70d14 SHA-1: df722fb2ed2768ba1dd0fac1f9c5ad6c78d3d5c6 SHA-256: 14907c9523d8acd82466320ed05b790b557f8d2107f4654a5c518dc0feff76ce
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The document exhibits characteristics of an advance-fee scam, using urgency lures and suggesting a download action. The presence of external URLs, including one identified as a potential download source, indicates a likely attempt to deliver a secondary payload. The ClamAV detection further supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4422

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=sugar+sugar+unblocked+77
    • https://cdn.sqhk.co/dukizukijire/aYgj63l/60_parsecs_wiki_characters.pdf
    • https://cdn.sqhk.co/dewufidabo/ijihcTa/bekoraz.pdf
    • http://luminar2-download.xyz/14433087092jujkd.pdf
    • https://cdn.sqhk.co/vojofarakiva/bXgdqgg/ludo_king_tv_download.pdf
    • https://cdn.sqhk.co/fuvopone/Ljdgd7y/75225796763.pdf
    • https://dujemezore.weebly.com/uploads/1/3/1/3/131381607/68a0388b18.pdf
    • https://cdn.sqhk.co/jibetovo/S0Sjdhg/escape_from_the_labyrinth_steam.pdf
    • https://cdn.sqhk.co/baxemazisod/ggIxbe9/messenger_app_issues.pdf
    • https://cdn.sqhk.co/kawurefeki/RnXjfgc/zombieville_usa_apk.pdf
    • http://zefikono.22web.org/types_of_endodontic_files.pdf
    • https://kofifemox.weebly.com/uploads/1/3/1/4/131454106/jaginivuvakijajuxo.pdf
    • https://mawebexakonu.weebly.com/uploads/1/3/4/3/134390129/f45d503.pdf
    • https://cdn.sqhk.co/linewebozid/iVRhi1G/dagenham_park_school_uniform.pdf
    • https://romuxejis.weebly.com/uploads/1/3/4/8/134887308/bonipufinud-gifebulolo-tidukudak.pdf
    • https://pawiwojofidinof.weebly.com/uploads/1/3/4/4/134458390/fakavaxowapibup-soniwosilowup-baluxejipusuxad.pdf
    • http://lnstagramcopyrighthelps.com/65702871859zb309.pdf
    • http://goldstein.capital/agatha_christie_first_book_after_disappearancerxegs.pdf
    • https://cdn.sqhk.co/kososojog/ujbigeq/codes_update_4_ninja_masters_wiki.pdf
    • http://bratskpravojur.ru/altec_lansing_boom_jacket_2_reset6iu1l.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://7ef5d8b8-74ac-4e0a-b0a0-fa61ca6462a8.filesusr.com/ugd/23e9be_70d9113ecc824507967476a4140470d0.pdf?index=true
    • https://a3cd4400-5fdc-4e6a-bda8-88556a2d4d1f.filesusr.com/ugd/2f7489_b714665d3e574f30a4f9a0bb0db6204d.pdf?index=true
    • http://wotituxisu.rf.gd/which_cloud_certification_is_best_for_beginners.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_018_off0009dd3d.bin
112b1d245984105cc8a2a8e7b30e39937daee08f5c3fb19e55723c88c99ca63f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9DD3D 28764 bytes
font_00_sfnt_off00092810.bin
63918f0495d5863976c8752c90d95c56f1c073747ef567a031544105186753d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92810 6740 bytes
font_01_sfnt_off000938c2.bin
c674d42f358ff049f570b3358354192215d007c4dee4c3f5f923d17a7b9df771		 pdf-font-stream PDF embedded font (sfnt) at offset 0x938C2 25812 bytes
font_02_sfnt_off000989fe.bin
65a4c93326f6cb7c144c78828c4e8c2453f82f2cedbefd7d1c3ba248c7e538cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x989FE 5496 bytes
font_03_sfnt_off00099cc1.bin
37de60968659ca8aaf5ed8cafe73da4eb1cd9dac9769938e8fcf8d8e5381040e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99CC1 1728 bytes
font_04_sfnt_off0009a56e.bin
d640b6cbf4d1569d8acb673d2beade470c3e1f9c047d8300ed1dfa5f5381604b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A56E 19076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.