Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8372454096893a0…

MALICIOUS

PDF

147.9 KB Created: 2021-03-19 09:11:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45438d827c9ff38ec5e55d6d5a58b38a SHA-1: 7baab322088a8c1d4570135328190db3cd77e4b8 SHA-256: b8372454096893a0eda0affefc1b91dcae92ef33229b88386dd91c7b88774ff5
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and it contains heuristics indicating an advance-fee scam lure. The embedded URL https://crophysi.ru/strik?utm_term=how+much+does+scooter+service+cost is likely the primary destination for the phishing attempt, aiming to trick the user into believing they have won a prize or are due a payment. No scripts were extracted, but the PDF structure itself is indicative of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=how+much+does+scooter+service+cost
    • http://lamovingcompany.com/9910559125xve90.pdf
    • http://kafikiwamavo.22web.org/interview_questions_template_uk.pdf
    • http://axacheat4.xyz/pompe_funebre_lefebvre_grandvilliers1uxo7.pdf
    • https://galezarulunozip.weebly.com/uploads/1/3/4/8/134896955/7100068.pdf
    • http://jodefugivu.22web.org/can_you_sell_foot_pics_on_onlyfans.pdf
    • https://bukodagunotul.weebly.com/uploads/1/3/4/0/134012399/fibiki-xifokosex-joxuvinuxe.pdf
    • http://sejijuw.iblogger.org/arabic_amharic_dictionary.pdf
    • https://xatikofaf.weebly.com/uploads/1/3/0/8/130814669/tisag.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f4a6e991-dd11-4f0d-a25e-05fa423e6f2d/xoxuruti.pdf
    • https://uploads.strikinglycdn.com/files/93fc1829-b01b-48de-b142-20535a075f21/gubizotubugev.pdf
    • https://uploads.strikinglycdn.com/files/2e03a56f-be1b-4fd9-8de9-d91cda081233/does_hopper_3_support_4k.pdf
    • https://uploads.strikinglycdn.com/files/caf47795-aa0d-4138-9df7-f0f4c1b3e22a/guide_for_dummies_template.pdf
    • https://uploads.strikinglycdn.com/files/348e4368-827d-476c-b56d-d785f63c01f1/12496418535.pdf
    • https://uploads.strikinglycdn.com/files/546d169c-af50-4351-86ee-89cebbd6577c/tom_sawyer_and_huck_finn_cast.pdf
    • https://uploads.strikinglycdn.com/files/71c9c7b7-b2c1-4a88-a12d-a3132dbebb0f/12879838234.pdf
    • https://uploads.strikinglycdn.com/files/c8c13814-5730-41d6-808b-1192e128ad8e/gokavefodalowiwaroponu.pdf
    • https://uploads.strikinglycdn.com/files/230dd991-a0cc-4cd0-8975-a746c92acca2/how_to_protect_tigers.pdf
    • http://likijanima.epizy.com/pavekoguzojetapeviwojebo.pdf
    • https://uploads.strikinglycdn.com/files/a99ec253-a6d7-4e09-8140-492291258dda/how_to_turn_on_big_jambox.pdf
    • https://uploads.strikinglycdn.com/files/18de6f3a-9504-4d64-9c1e-f11c7f886e10/who_invented_the_idea_of_communism.pdf
    • https://uploads.strikinglycdn.com/files/f64dee2a-67f6-4e82-8883-e7aae1b2c92c/briggs_and_stratton_18_hp_twin_carburetor_adjustment.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002091e.bin
a50ec44e3fbb24637064ee0754941ef395b2a40c984d39b4b8262f13d887c2a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2091E 5052 bytes
font_01_sfnt_off00021a34.bin
c1fa124ae4a5797912eae3cd90f1409cd78d516f955f5e669ca4e656517476fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21A34 11500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.