Malicious PDF — malware analysis report

Static analysis result for SHA-256 c44d01fc90cbab73…

MALICIOUS

PDF

422.8 KB Created: 2020-04-13 06:25:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8620051bbe1e930f9eb6063c63158d73 SHA-1: d3b598912c4e18a7bfc413f47aeab05a9e05ed12 SHA-256: c44d01fc90cbab73dc0489599bade84256cb91a023154e4cf84aa227f7c99f3c
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The document exhibits characteristics of an advance-fee scam, presenting itself as an invoice or payment instruction. It contains an embedded URL that directs the user to a potentially malicious HTML file, likely intended to further the scam. The presence of multiple similar URLs suggests a campaign distributing this lure.

Heuristics 5

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nexisnailsystems.com/uploads/1/3/1/6/131636702/131636702.html#form+il+1065+schedule+b+instructions
    • http://olivianovello.com/uploads/1/3/0/3/130379843/d060168ffd11c.pdf
    • http://seisshk.com/uploads/1/3/1/0/131069886/4893154.pdf
    • http://sassie-travel-destinations.com/uploads/1/3/1/3/131380171/bowuxomeb.pdf
    • http://wellbeings.ie/uploads/1/3/0/9/130970014/vumaxu.pdf
    • http://rdbakes.com/uploads/1/3/1/4/131453818/xagoxexevupuvedot.pdf
    • http://webdisk.dynamicwealth.ca/uploads/1/3/0/4/130478203/pexamip.pdf
    • http://auto-aero-investments.com/uploads/1/3/0/4/130435661/gozatanagun_detejina_fojefogaji.pdf
    • http://royalbisonstudios.com/uploads/1/3/0/6/130639581/baxizozudop.pdf
    • http://forfattarskolan.com/uploads/1/3/0/5/130546354/junumagivuxikex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000652e5.bin
239caeece7b892434632e1b8608b0a0850f58bc543edadfc4fab0d538e59baff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x652E5 9224 bytes
font_01_sfnt_off000675dc.bin
1c59bb7c42fb9dd689b4bb89b4bd7dddcd90480c3e9a7d7103ab4e5015ba4716		 pdf-font-stream PDF embedded font (sfnt) at offset 0x675DC 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.