Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3827b30ed6ddb6f…

MALICIOUS

PDF

1.69 MB Created: 2017-03-23 11:49:57 Authoring application: Microsoft® Office Word 2007
MD5: 18b6b094f1a2d9cba204a18dcda585d8 SHA-1: 2193a9ba7ebd1791a9a1aee597e1debcd96a2a69 SHA-256: c3827b30ed6ddb6f9a109bacf02638e24a25e20a968b116910bc2222875c4bd7
78 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document exhibits characteristics of an advance-fee scam, including urgency and fake payment/lottery language. It contains multiple embedded URLs, with http://www.hdbrts.co.in/ being a primary indicator. The document's structure and the presence of these lures suggest an attempt to trick the user into visiting a malicious site, likely for phishing or to download further malware. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 6

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hdbrts.co.in/
    • http://www.eproc.karnataka.gov.in/
    • https://www.eproc.karnataka.gov.in/
    • https://eproc.karnataka.gov.in/
    • http://www.worldbank.org/debarr

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_148_off000b8787.bin
aa74ed8ed29225582683e1203b9da5830fb82570bd7aa0a5b0daef26c16c9f13		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB8787 204276 bytes
stream_153_off000fb6e6.bin
5942d460f21a45c16cf20a4c71f6e75022bde265b6409ec69d3d2a994729efc5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFB6E6 200616 bytes
stream_162_off0014d289.bin
8001eead50a809ffd3bdf8a1a01eda7a96505f0b7420578a551317404be1ee5b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14D289 200124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.