Malicious PDF — malware analysis report

Static analysis result for SHA-256 cff2142cf4315f8e…

MALICIOUS

PDF

252.6 KB Created: 2021-03-19 05:30:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7451439fbee3d6bfece252554ba6bce3 SHA-1: b3199f447b4a65d8ae4086a7bf7453b44101abb1 SHA-256: cff2142cf4315f8e60b2c424b98fff0e352e38c3957556632a247f994bab7f97
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

The file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of an advance-fee scam and a callback phishing lure. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf. Multiple external URLs were extracted, indicating potential redirection or payload delivery. The combination of scam lures and malicious detection strongly suggests a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=castles+and+dragons+flute+sheet+music
    • https://walowopus.weebly.com/uploads/1/3/5/2/135295279/d50e4c29f881e8f.pdf
    • http://artdebug.site/chicken_running_with_head_chopped_off_gif1nlq1.pdf
    • http://rejemezurufoveg.mywebcommunity.org/32827684606.pdf
    • https://potelukizul.weebly.com/uploads/1/3/5/9/135961045/2403929.pdf
    • http://amst-watch-v1.club/270149807513jchd.pdf
    • http://hookup154.space/jamutumonumedinulojikpo4in.pdf
    • http://5-euro.info/basic_english_grammar_rules_with_examples_hindiknj31.pdf
    • https://static.s123-cdn-static.com/uploads/4446773/normal_5ffcd6045ef74.pdf
    • https://static.s123-cdn-static.com/uploads/4484363/normal_600858c7e873e.pdf
    • https://static.s123-cdn-static.com/uploads/4465386/normal_5fcce6f152db1.pdf
    • https://jobuvofuwado.weebly.com/uploads/1/3/1/4/131483112/gipanol_vodulojuf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6f46ab72-b8e3-4ec2-8f01-cb5d6491dab7.filesusr.com/ugd/9a120b_116dc48bd41f42fa90a8f8a1ad55bb6d.pdf?index=true
    • http://kuwijiti.myartsonline.com/how_to_hide_caller_id_on_your_phone.pdf
    • http://xutenujute.myartsonline.com/2007_jeep_grand_cherokee_hard_start_when_hot.pdf
    • https://a6132035-7465-4fe4-be4e-2faa96c22dab.filesusr.com/ugd/cf950b_3b9072c2d55a40f59bcd9278b035e976.pdf?index=true
    • https://d0bf7e8b-5449-41c0-93e9-161603c0719f.filesusr.com/ugd/197ed4_26e4763ca1c542ca8edde221e4189a6d.pdf?index=true
    • https://f187853a-68e6-4ed6-a420-9593b89d6738.filesusr.com/ugd/27c34a_36edae806bba485d81b34c023cb966e0.pdf?index=true
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_4d1d5954f22249a29bf88cbc0e8b30dd.pdf?index=true
    • https://3c3713de-992c-4571-92b4-00afcb8cb2c1.filesusr.com/ugd/9dbdb2_22c349712dbc43a0bbddb24e4df8edfa.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00039192.bin
a525c8adf1b044e4eeae7d316d5e496a7bff883a41c1d99b54208bc5221575d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39192 5340 bytes
font_01_sfnt_off0003a38c.bin
f50d742f3d94c4204d0f8c386bd85199de8409c93469ad2ee092efd56ec26471		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A38C 12420 bytes
font_02_sfnt_off0003ce00.bin
a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CE00 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.