Malicious PDF — malware analysis report

Static analysis result for SHA-256 265f87d9cc5d9158…

MALICIOUS

PDF

206.1 KB Created: 2021-01-22 23:01:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: deaa7dce4dc080385c7d8f5a5a9ca716 SHA-1: a4fb6d8ffcc823e178dc277a096e6de5411a64f9 SHA-256: 265f87d9cc5d9158e8133e6199904b88c2d1193fbb3fb39f1497263fe55c79c4
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was identified as malicious by ML classifiers and ClamAV, with a high-severity heuristic indicating an advance-fee scam lure. The document body, though heavily obfuscated, contains text related to 'wkhtmltopdf' and a URL that aligns with the scam lure. The presence of embedded URLs suggests an attempt to redirect the user to malicious content, likely to further the scam or download additional payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9548

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=horn+of+valhalla+attunement
    • https://cdn.sqhk.co/javomekoru/5ijihe7/81588330351.pdf
    • https://static.s123-cdn-static.com/uploads/4480170/normal_5fce7620b31b3.pdf
    • https://fofirajajamide.weebly.com/uploads/1/3/4/6/134643930/43129df8b26d.pdf
    • http://nafesotarun.22web.org/mawanivubuzirupaxerulo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nupakavidowux.epizy.com/copper_leaf_sheets_michaels.pdf
    • http://nabafurulevu.epizy.com/98738642590.pdf
    • https://s3.amazonaws.com/wivunonovef/us_guided_iliopsoas_bursa_injection.pdf
    • http://wuguwusilabibax.epizy.com/xudojenumekep.pdf
    • https://s3.amazonaws.com/nefomojuwet/accelerometer_sensor_example_in_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002f615.bin
61dfd374e5f660590925e87109d1c903f468f1c59da89ff1995222abfafcc748		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F615 4848 bytes
font_01_sfnt_off00030669.bin
2df67e721ea1c89956ae1b4b3ab05471e2d00b788b221ac6e33aaf06bdfcf5e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30669 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.