Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5ee49a683b6dde2…

MALICIOUS

PDF

6.53 MB Created: 2021-09-16 19:11:54 +01:00 Authoring application: Adobe InDesign 16.4 (Macintosh) (via Adobe PDF Library 16.0) First seen: 2022-07-15
MD5: 72ac938b5fa69122769b9dc67852d980 SHA-1: 67bf09429efce9b2c1a4ea1b87e722dc652bc171 SHA-256: e5ee49a683b6dde2d5435e916f60681d69fbac47ba5e6126ace405900c60c59a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing:Malicious Attachment T1204.002 Malicious Link

The PDF file contains heuristics indicating an advance-fee scam lure, presenting language related to lotteries or prizes and parcel delivery requirements. It also includes external URIs, one of which uses a URL shortener, likely directing the user to a malicious site. The document body is heavily obfuscated, preventing a detailed analysis of its specific content, but the presence of an AcroForm button with an action trigger suggests an attempt to interact with the user.

Machine Learning

  • Nyx PDF Classifier clean score 0.1679

Heuristics 6

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.springimpact.org/contact/
    • http://ns.camerabits.com/photomechanic/1.0/
    • http://ns.fotoware.com/iptcxmp-legacy/1.0/
    • http://ns.fotoware.com/iptcxmp-reserved/1.0/
    • http://ns.iview-multimedia.com/mediapro/1.0/
    • http://cipa.jp/exif/1.0/
    • http://ns.useplus.org/ldf/xmp/1.0/
    • https://www.springimpact.org/2021/09/journey-to-impact
    • https://www.springimpact.org/journey-to-impact
    • https://www.springimpact.org/newsletter/?utm_source=Report&utm_medium=CTA&utm_campaign=Journey_to_impact
    • https://www.springimpact.org/?utm_source=Report&utm_medium=CTA&utm_campaign=Journey_to_impact
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/aux/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/camera-raw-settings/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://iptc.org/std/Iptc4xmpExt/2008-02-29/
    • http://ns.microsoft.com/photo/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xmp/InDesign/private
    • https://bit.ly/SpringImpactLinkedIn
    • https://bit.ly/SpringImpactTwitter
    • http://www.iec.ch

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000190b.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x190B 3144 bytes
font_00_cff_off00003b0d.bin
9f9b5d2fb2f67aa47a61c9fa586ff0ae0aebddeb708bef851e5ed08762481bf3		 pdf-font-stream PDF embedded font (cff) at offset 0x3B0D 4065 bytes
font_01_cff_off0000495a.bin
76d67066a01d65291b7b67c68a855f50d4952a695de451ec3b0e0738a35fd92d		 pdf-font-stream PDF embedded font (cff) at offset 0x495A 5190 bytes
font_02_cff_off00121bea.bin
8e80540a97bf0c243e3ac19bcfce7cd1e228e41b8e5fb0a6ea74a75e3aca9ead		 pdf-font-stream PDF embedded font (cff) at offset 0x121BEA 1964 bytes
font_03_sfnt_off0064d836.bin
444c210af12243557deb79e4f9c4b8d1a3e142f059f6bdfff25fd6a9167ff3cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64D836 10905 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.