Malicious PDF — malware analysis report

Static analysis result for SHA-256 76f74f3d7f71ce8d…

MALICIOUS

PDF

154.7 KB Created: 2021-04-02 02:52:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c6b85e724aa70000473a0cabf01c5aa SHA-1: 7d9cd533db44ffb7315a26e47c61e4207525f674 SHA-256: 76f74f3d7f71ce8dd6fc3bf82fa0648bfee08f3ad28bc60d861d4935a18e1fe0
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was flagged by multiple heuristics as a malicious PDF, specifically identifying it as an advance-fee scam lure. The document body, though heavily obfuscated, contains text fragments that align with this type of social engineering. The presence of numerous external URLs, including one directly linked to the scam lure, suggests the document is intended to redirect users to malicious sites to further the scam or download additional payloads. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9708

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=camp+geronimo+odd1sout
    • https://wejigewaja.weebly.com/uploads/1/3/5/4/135400860/siselitiribopejibeg.pdf
    • https://zogetira.weebly.com/uploads/1/3/4/5/134502553/kijevome_pisowu_bomuz_maponaf.pdf
    • https://cdn.sqhk.co/jimumakevaji/gdichdO/bingo_bloon_bingo_games_for_free_by_gsn.pdf
    • https://cdn.sqhk.co/buxoxurobewi/bMjgggf/zexujowov.pdf
    • http://bezinawevudo.22web.org/basic_english_grammar_saddleback.pdf
    • http://zokugorevat.mywebcommunity.org/larufirufelupib.pdf
    • http://dobomepederu.22web.org/tilof.pdf
    • https://cdn.sqhk.co/xiwasazafu/AV9gj9j/celtic_frost_journey_into_fear.pdf
    • https://misiwutikamiba.weebly.com/uploads/1/3/4/6/134601431/vivumepegenesiz.pdf
    • http://pixubak.iblogger.org/76521432161.pdf
    • https://nalabusapigo.weebly.com/uploads/1/3/2/7/132740218/lesatifoxabigabuvu.pdf
    • https://sobomimaseneke.weebly.com/uploads/1/3/1/3/131379860/2147736.pdf
    • http://dipazekonowa.mypressonline.com/army_pay_fixation_chart_2017.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/97f63b7a-ccb5-4248-8433-5951a1c9f208/vavuzodimuposuvuvaxuwed.pdf
    • https://uploads.strikinglycdn.com/files/02def799-cc3e-4f5c-b1f9-22cef9c91d70/why_do_i_keep_waking_up_after_every_dream.pdf
    • http://mifetominugumow.epizy.com/69288477096.pdf
    • http://vodupuginotipir.rf.gd/jet_engine.pdf
    • http://mekigutesazi.epizy.com/craft_the_world.pdf
    • https://uploads.strikinglycdn.com/files/60bb0739-3906-4185-b790-f38973eda4ef/whats_an_ir_extender_cable.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001784a.bin
bb6d5f0030cb822899f57108f5e04e9e2ce6fbb0221064779850d2b527271f01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1784A 39656 bytes
font_01_sfnt_off0001f172.bin
b7f2d3291d63c72c06100db2d8168f8885a2c5f89f146ef3efb5e5ae267ee675		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F172 5204 bytes
font_02_sfnt_off00020303.bin
d7ddc674fe7926be9696cec077c753a3fd803f8f16b804922a96da8e91060357		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20303 2832 bytes
font_03_sfnt_off00020ede.bin
e3b3a3d9de24cc53558ff0083deef1ca4e8b7e78d502188e8a7deb1d2ded8996		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20EDE 12580 bytes
font_04_sfnt_off00023988.bin
ac3c58cee9eac94e6e8b2f6ba6ea8bd9b25bee429b0eb3751383e558fbf55225		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23988 16116 bytes
font_05_sfnt_off00024e61.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24E61 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.