Malicious PDF — malware analysis report

Static analysis result for SHA-256 7382d74511ebb055…

MALICIOUS

PDF

13.74 MB
MD5: 63b7c3a61471cd256a25eac24fb429ac SHA-1: fb6ef4c834009abca5de47f00863a65fef0ab4fc SHA-256: 7382d74511ebb055e33343a59e99e0601c90f8034ec9b330114a8e8dcbea4f1f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple lures indicative of financial fraud, including advance-fee scam language, payment redirection, and urgency to act. The ML classifier also flagged the PDF as malicious. While no scripts were directly extracted, the presence of many streams and obfuscated font data suggests an attempt to hide malicious content, likely involving external URLs for further stages. The document's structure and content strongly suggest a phishing or business email compromise attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6951

Heuristics 9

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://greylogic.us
    • http://www.stopgeorgia.ru/?pg=tar
    • http://en.fondsk.ru/article.php?id=
    • http://cominf.org
    • http://www.os-inform.com
    • http://www.102fm.co.il/
    • http://www.zone-h.org/
    • http://www.hackteach.net/
    • http://www.nato-pa
    • http://www.v4-team.com/cc/
    • http://www.kcna.co.jp/item/1998/9809/news09/23.htm
    • http://www.arabic-m.com
    • http://www.soqor.net
    • http://gaza-hacker.com/
    • http://al3sifa.com
    • http://arhack.net/vb
    • http://www.hackteach.net
    • http://t0010.com
    • http://www.warezscene.org/hacking/699733-twitter
    • http://www.Steadyhost.ru
    • http://init-sol.com
    • http://nashi.su
    • http://www.axisglobe.com/article.asp
    • http://www.axisglobe.com/article.asp?article=444
    • http://research.sunbelt-software.com/threatdisplay.aspx?name=PWS-Banker&
    • http://www.demon.net/external/
    • http://www.whois.sc
    • http://www.milw0rm.com/papers/149
    • http://www.toprankblog.com/2009/01/6-social
    • http://www.triumfant.com/Signature_Counter.asp
    • http://www.ingushetia
    • http://www.groupintel.com/2009/02/13/the-rise-of-cyber-mobiliza
    • http://www.jp.dk
    • http://www.foreignminister.gov.au/releases/2011/kr_mr_110118a.html
    • http://www.futuregov.asia/articles/2011/mar/14/australia-reveals-new-cyberspooks-unit/
    • http://www.dialogo-americas.com/en_GB/articles/rmisa/features/regional_news/2011/08/03/aa-brazil-cyber-warfare
    • http://www.publicsafety.gc.ca/prg/ns/cbr/ccss-scc-eng.aspx
    • http://my.safaribooksonline.com
    • http://oreilly.com/catalog/errata.csp?isbn=9781449310042
    • http://shop.oreilly.com/product/0636920021490.do
    • http://www.oreilly.com
    • http://facebook.com/oreilly
    • http://twitter.com/oreillymedia
    • http://www.youtube.com/oreillymedia
    • http://twitter.com/TheJointStaff
    • http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=18/06/
    • http://www.softlayer.com/legal.html
    • http://www.secureworks.com/research/threats/gozi/
    • http://www.f-secure.com/v-descs/haxdoor.shtml
    • http://blog.washingtonpost.com/securityfix/2007/06/the
    +22 more URL(s)

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0746_00.bin
d2ccf45e09201a8707aa085bfa39515c0bf3044d60f8eafa48de4aebebe26206		 pdf-objstm-decoded PDF /ObjStm 746 0 obj (inflated) 2471 bytes
font_00_cff_off005cbd14.bin
b8c970d7ab28f22cc69d9da76cf7a686921532c8acf55da4ac260ed3b55a561e		 pdf-font-stream PDF embedded font (cff) at offset 0x5CBD14 2448 bytes
font_01_cff_off005cc5f2.bin
fe699e8ae21618a6e9a7cc5dc2b9a870f9ab6fdb23887877793bb28f67135c7e		 pdf-font-stream PDF embedded font (cff) at offset 0x5CC5F2 416 bytes
font_02_cff_off006b9583.bin
e8eadbd38f43264290b2b668b6b70a1d5e87377bc5b6abf28548b8d8c33b0fea		 pdf-font-stream PDF embedded font (cff) at offset 0x6B9583 58504 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_03_cff_off00716392.bin
ba475214b58fcb3ad34233ca09eb53e2d45de8adf06c0b8bd8fc27f4751b0890		 pdf-font-stream PDF embedded font (cff) at offset 0x716392 55603 bytes
font_04_cff_off00d28212.bin
8b3affe5ae8f4a9bf804ff2c74d6bf1090a27250ae434dc9f19970187f484ac9		 pdf-font-stream PDF embedded font (cff) at offset 0xD28212 54275 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.47, consistent with packed or encrypted content.
font_05_cff_off00d3a9af.bin
ae04960540e542db9b518bc144192d4f4517604301ea151b8691cbc1853742f6		 pdf-font-stream PDF embedded font (cff) at offset 0xD3A9AF 45019 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_06_cff_off00d43343.bin
8893280255b7b59e2e44c650f2dc2de52b04859f88209e22190b4cdb0fa93134		 pdf-font-stream PDF embedded font (cff) at offset 0xD43343 49877 bytes
font_07_cff_off00d5ac36.bin
951659608a4f7b7155cdcaeff36d1504e64d1a457549bcba125c7907d07fb1e2		 pdf-font-stream PDF embedded font (cff) at offset 0xD5AC36 133878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
font_08_cff_off00d74407.bin
cc9e42a4da8889382117bd1bdd099b4b6e500e53af5857c6f95d81c4657f1267		 pdf-font-stream PDF embedded font (cff) at offset 0xD74407 53248 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
font_09_sfnt_off00d8fbfe.bin
ee5d2af296f8236c593447ab179380b3b375750b8ecd9ba25c9f94a5979d81f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8FBFE 7012 bytes
font_10_sfnt_off00d90d36.bin
65144835c450ca3f076fed16445ed749fea733c0ec68a1eb431cb3395018c0f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD90D36 196548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.