Malicious PDF — malware analysis report

Static analysis result for SHA-256 417c68519a4c91dd…

MALICIOUS

PDF

274.4 KB Created: 2021-05-14 10:00:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc22adbf4ed5c37876f5e43133740d8a SHA-1: 223d4e2d21d5fd543955c32e718a5f18d87aa555 SHA-256: 417c68519a4c91dd9e4d0bc5b83d55f110d35b02826199264b6f5da253351ea2
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The document exhibits characteristics of an advance-fee scam, using lottery or prize language combined with parcel delivery requirements to defraud the user. The embedded URL 'https://nipisod.ru/strik?utm_term=when+did+human+history+begin' likely serves as a lure to a malicious site or to download a secondary payload. While no scripts were explicitly extracted, the PDF structure and heuristic firings strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9479

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=when+did+human+history+begin
    • https://luxaxila.weebly.com/uploads/1/3/0/8/130814132/pimepafufamupubos.pdf
    • http://usesalon.xyz/kuroxolirogonukujexor4k5d.pdf
    • http://vashastrahovka24.ru/54881513023fy83e.pdf
    • https://taxefijiduru.weebly.com/uploads/1/3/5/3/135311915/2721683.pdf
    • http://lojasamericanasbr.com/obra_romeo_y_julieta_resumen_cortoe0jxa.pdf
    • http://momopenuwawe.iblogger.org/alimentacion_y_nutricion.pdf
    • https://bijivabaj.weebly.com/uploads/1/3/4/6/134601785/wudasepisol.pdf
    • https://tigobatimomovo.weebly.com/uploads/1/3/2/7/132740361/9713052.pdf
    • http://nozudozaki.22web.org/kinagenupokidogaj.pdf
    • http://lovelyhouse.online/unicode_converter_freezwrr4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://moxinipikilugu.rf.gd/78500060174.pdf
    • http://gedawov.epizy.com/alborada_del_gracioso.pdf
    • https://3f735f5a-cd1c-4288-bd93-adeff6e084d9.filesusr.com/ugd/bcc0e4_b6f0d7fc7bbd46cc9fda5919f73f9ba9.pdf?index=true
    • https://4993f9ff-345c-4c03-a8ec-d4f8dac664d6.filesusr.com/ugd/debbe1_2de3b011776d41ed9268a09a7b0a8c99.pdf?index=true
    • https://a0bbd489-bf03-48a0-8e93-88abd0751e5b.filesusr.com/ugd/370ea2_29b231b6db284441858b50f79a23fa89.pdf?index=true
    • http://numebazo.rf.gd/audited_balance_sheet_sample.pdf
    • https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_759d168643dc4844845ec16f23b8ce52.pdf?index=true
    • https://20097937-9b7a-4da4-851c-33e9a8906939.filesusr.com/ugd/1e3518_31a3503b6c084f72bc7468dede21ca22.pdf?index=true
    • https://s3.amazonaws.com/jofunozuzof/dirawutawegikawuzana.pdf
    • https://s3.amazonaws.com/toniseligiwuzux/39398315609.pdf
    • https://s3.amazonaws.com/nemafu/98474800726.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003de11.bin
8871004a02210ffa92f82b4479a9c0e64b37af3f125b35e7d07495a69de1753e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DE11 3348 bytes
font_01_sfnt_off0003ea34.bin
ca287cac8b97fdead15a09b05bb29aacd81c38e45dd3b2e1d864ff499e7ae5fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EA34 5344 bytes
font_02_sfnt_off0003fc3a.bin
cdb58fb020f00ed4429908302319a33123ca70eaad036cadeea6e283565ba3a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FC3A 16712 bytes
font_03_sfnt_off00042bb3.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42BB3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.