Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a9bdc8e6d10fd5e…

MALICIOUS

PDF

28.9 KB Created: 2024-11-22 12:19:40 UTC Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 71fa2fea553b9df8eab077f6b5af3ed7 SHA-1: e01d01c7d01ff890a5ece78bfa5e38b43d621204 SHA-256: 5a9bdc8e6d10fd5e0fa908e4d6a19ea81f150c9b5f0206d75c7b9e24316e4b13
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document identified as malicious, exhibiting characteristics of an advance-fee scam. It contains language suggesting a lottery or prize, combined with requirements for parcel delivery, a common lure for such fraud. The PDF also embeds an external URI pointing to 'suntekaluminium.com.au/cos.html', which is likely part of the scam infrastructure. No scripts were extracted, and the primary attack vector appears to be social engineering through document content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0066

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Suspicious payload delivered in a password-protected archive high ARCHIVE_ENCRYPTED_SUSPICIOUS_DELIVERY
    The archive was password-protected (opened with a common malware-analysis password) and its extracted content is independently suspicious. Password-protecting the wrapper is a deliberate mail-gateway / static-scanner evasion; combined with suspicious content this is the standard malspam delivery pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://suntekaluminium.com.au/cos.html
    • http://www.microsoft.com/typography/fonts/
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fee.bin
91617357cf7c54d537140737cab5f6a22a943fad1987962832f37624f80809d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE 7248 bytes
font_01_sfnt_off000025fa.bin
c03a14870ce03ea694290ccaea95d7aa70b358cde56d5c3ab252348725dee4f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25FA 14004 bytes
font_02_sfnt_off00003c66.bin
1719fd2df79d73678efdc13e4275726424ac8205d3162c645b569f577d486df5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C66 9324 bytes
font_03_sfnt_off00005969.bin
4b239a85385e486f0477d9be33fee2c13a521317b9690e0ae1fc76f35fac2801		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5969 7168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.