Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ae69380652aa00e…

MALICIOUS

PDF

84.2 KB Created: 2021-03-10 12:12:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47cd3e613f292ada1e9208b741d3513d SHA-1: 73348d3714ddd9e734cebdf0b5de91c4ce9a0d53 SHA-256: 3ae69380652aa00e1036cfe91a5be4fdfee3c3cb2a8226c7b52fae880a746035
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document is designed to trick users into a financial scam, likely by impersonating a prize notification or parcel delivery service. The presence of multiple external URLs further supports this, as they are likely used to host malicious payloads or redirect victims to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=mixed+up+files+of+mrs+basil+e+frankweiler+summary
    • http://kanshoper.site/nekisolabumolenaexgxj.pdf
    • https://cdn-cms.f-static.net/uploads/4475572/normal_601951f263bc8.pdf
    • https://jabifuvos.weebly.com/uploads/1/3/1/0/131070291/d9f33b.pdf
    • http://qiwi-wallet.online/dikiponenogogikijuwudilj4fzx.pdf
    • http://pasetbs.xyz/huffy_highland_mountain_bike_reviews9jruh.pdf
    • https://cdn-cms.f-static.net/uploads/4450733/normal_601fd174f37a0.pdf
    • https://tivavazo.weebly.com/uploads/1/3/5/3/135337759/gogulizopotisakazu.pdf
    • http://microbestdigitalmeter.xyz/gulomesapedisagipegorazvcct.pdf
    • https://serabonileraso.weebly.com/uploads/1/3/4/4/134444783/a4f89489b3f6.pdf
    • http://nomozufigupet.iblogger.org/kowunapejapabemoxiduzex.pdf
    • http://psychologyrelax.xyz/does_stephen_king_like_the_dark_tower_movieu62nb.pdf
    • https://cdn-cms.f-static.net/uploads/4450502/normal_602b914082eb0.pdf
    • https://tadilagene.weebly.com/uploads/1/3/1/3/131381422/c975ae8693a26f.pdf
    • https://cdn-cms.f-static.net/uploads/4465249/normal_60395c775147c.pdf
    • https://static.s123-cdn-static.com/uploads/4474722/normal_5ffd49393b0d9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f730d15c-1921-46d2-b6d4-288333e40990.filesusr.com/ugd/e2c223_52c23e81c5bc4cdba897729b8028323d.pdf?index=true
    • http://sunuwib.epizy.com/cricket_highlights_app.pdf
    • https://ddf64d59-5240-4154-9987-17dfc28e22c7.filesusr.com/ugd/cec570_1085fd20626848749b264d99a76981ea.pdf?index=true
    • https://s3.amazonaws.com/donukadizolin/berep.pdf
    • https://0b609444-e5a2-4a7e-9779-a3c6bae51a53.filesusr.com/ugd/529dbf_a878f491ad3a4d1d92909402e4bb5e64.pdf?index=true
    • https://s3.amazonaws.com/rejiner/goodwill_assets_balance_sheet.pdf
    • https://s3.amazonaws.com/wurivuve/dikanenaxerutogobanexe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000107da.bin
21d5e091b6f4d3f2afe783b1f20fee537c60f780de0b47c299935d030d15cdb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107DA 5656 bytes
font_01_sfnt_off00011b26.bin
407c69e9e4480b2a50983329494519c7ea8a3b926f120ca0226cf7eb0bbf8adb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B26 11748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.