Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f71b2a7d33aaa9c…

MALICIOUS

PDF

1.53 MB Created: 2020-03-17 09:44:04 +00:00 Authoring application: calibre 3.31.0 [https://calibre-ebook.com]
MD5: 64c6aa6faa3f195f0725a9abd9c9b085 SHA-1: 7d10ac1df4660b7d5644fddef64d01f37a1edd1b SHA-256: 2f71b2a7d33aaa9c1a7c15a703e822ab52c172fa6da491aa1fff68b54d4ee816
98 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains heuristics indicating an advance-fee scam lure, specifically mentioning parcel delivery and urgency. It also contains embedded URLs, one of which is a URL shortener, likely leading to a malicious site. The document body, though heavily obfuscated, contains language suggesting urgency and potential financial loss, consistent with phishing or scam attempts.

Heuristics 7

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prismstandard.org/namespaces/basic/2.0/
    • http://www.funsciencegroup.com/
    • http://www.realestateabc.com/glossary/
    • https://calibre-ebook.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xmp/Identifier/qual/1.0/
    • http://ns.adobe.com/pdfx/1.3/
    • http://calibre-ebook.com/xmp-namespace
    • http://calibre-ebook.com/xmp-namespace-custom-columns
    • http://calibre-ebook.com/xmp-namespace-series-index
    • http://tinyurl.com/realestatevocab

Open this report in the interactive analyzer, or submit your own file for analysis.