Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbd80224303793a6…

MALICIOUS

PDF

80.8 KB Created: 2021-04-22 20:42:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75d782cf37f3b784082bb46df68b7d0f SHA-1: 9618cb54965452d2970f069d17eb328912c02f6b SHA-256: cbd80224303793a6565a6ecfdd00dfdf2d56b1ec1f005493b73dc21e80522f82
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The document was flagged by an ML classifier as malicious and exhibits characteristics of an advance-fee scam, including language related to lotteries, prizes, and parcel delivery. The presence of embedded URLs, such as https://botokaw.ru/strik?utm_term=cost+of+living+by+country+comparison, suggests an attempt to redirect the user to malicious sites. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or scam attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=cost+of+living+by+country+comparison
    • http://logvoz.ru/respironics_bipap_user_manuallnjm7.pdf
    • https://static.s123-cdn-static.com/uploads/4451753/normal_5fe1b46a751e2.pdf
    • http://geosen.net/appendix_16_form_of_transfer_certificate342sz.pdf
    • http://fbcopyright-center.com/uni-com_doorbell_change_tone5yxrj.pdf
    • https://xipidutaz.weebly.com/uploads/1/3/4/4/134401361/tizezi-gifol-piwumemamene.pdf
    • https://cdn-cms.f-static.net/uploads/4382413/normal_601c78ef6699a.pdf
    • http://bhd-management.space/weekly_planner_free2o5z7.pdf
    • https://kebezade.weebly.com/uploads/1/3/4/4/134479439/gofotipemuli_ponusixodananu_jidalomelop.pdf
    • http://dimax.website/ruweparirahv0uk.pdf
    • http://leomannapov.com/rerijilodinewijukilignivpr.pdf
    • http://presalon.xyz/power_air_fryer_elite_operating_instructionssz4vs.pdf
    • http://grantmedica.ru/pool_heater_error_codescgyvy.pdf
    • https://cdn-cms.f-static.net/uploads/4402745/normal_60331aa7d67e8.pdf
    • http://promooffer.site/pedodigifirizqvyt.pdf
    • http://vodoroding.info/9140552985qs3kr.pdf
    • http://itravelgr.com/69212935895uncdf.pdf
    • https://cdn-cms.f-static.net/uploads/4375356/normal_60168b3873032.pdf
    • http://nevinidonet.mywebcommunity.org/best_annotation_app_for_apple_pencil.pdf
    • http://fejiximodanu.mygamesonline.org/bbc_compacta_class_11_english_answers.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee81.bin
215e35bee7e405b0b4f2bed8e626e7162e3c3038fe9f1f96266a841e3be37f4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE81 5424 bytes
font_01_sfnt_off000100e7.bin
705af3c8051863d8b60f19ac709c6f56d326a6cb8adf4aab3ecf5fc2bf8608e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100E7 11504 bytes
font_02_sfnt_off000127df.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127DF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.