Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6af7839ce0a36ee…

MALICIOUS

PDF

3.74 MB Created: 2020-03-11 03:15:04 +01:00 Authoring application: GPL Ghostscript 9.27
MD5: fc0391f1d544c1b5cbf302f6cc3a54ec SHA-1: 2c84cdd178779a28aa9981ce53776f5f48ed5b6b SHA-256: e6af7839ce0a36ee2f83455286ea9a8d6a17f19d51dca90c30d7becf88123221
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file exhibits characteristics of an advance-fee scam, as indicated by the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic. The document's content, though heavily obfuscated, likely aims to trick the recipient into believing they are owed a large sum of money or have won a prize, which is a common tactic in advance-fee fraud. The presence of numerous external URLs, many of which appear to be related to government health organizations, suggests an attempt to lend legitimacy to the scam or to host malicious content. The high stream count also suggests obfuscation techniques were employed.

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dinkes.acehprov.go.id/
    • http://www.depkes.go.id/
    • http://pemprov.com/
    • http://depkesri2007.angka_kematian_ibu.html/
    • http://eprints.undip.ac.id/4918/1/Ro
    • https://www.jstage.jst.go.jp/search/global/_search/-char/ja?item=8&word=Baequni
    • https://www.jstage.jst.go.jp/search/global/_search/-char/ja?item=8&word=Yasuhide+Nakamura
    • http://journal.managementinhealth.com/index.php/rms/article/viewFile/364/1026
    • https://www.childresearch.net/RESOURCE/RESEARCH/2009/exfile/BHUIYAN_NAKAMURA.pdf
    • https://scholar.google.co.id/citations?user=hGYxj9UAAAAJ&hl=id&oi=sra
    • http://eprints.unipdu.ac.id/342/1/BAB%20I.pdf
    • https://ejournal.unsrat.ac.id/index.php/pharmacon/article/view/6043
    • http://repository.unand.ac.id/17923/.andalas
    • http://www.inapatsafety-/
    • http://www.digilip.fakultas-keperawatan-good.hjkduw/dkhdfy.html
    • http://www.angelfire.com/fl/sutan/penjelasan.htm
    • http://terapiholisticalami.blogspot.com/
    • http://www.who.int/gpsc/clean_hands_protection/en/.%20\(22
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Boateng%2C+Laurene
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Quarpong%2C+Wilhemina
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Ohemeng%2C+Agartha
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Asante%2C+Matilda
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Steiner-Asiedu%2C+Matilda
    • https://www.sciencedirect.com/science/article/pii/S2213453016300362#%21
    • https://www.sciencedirect.com/science/journal/22134530
    • https://www.sciencedirect.com/science/journal/22134530/5/2
    • https://search.proquest.com/indexinglinkhandler/sng/au/Hagos,+Seifu/$N?accountid=62692
    • https://search.proquest.com/indexinglinkhandler/sng/au/Hailemariam,+Damen/$N?accountid=62692
    • https://search.proquest.com/indexinglinkhandler/sng/au/WoldeHanna,+Tasew/$N?accountid=62692
    • https://search.proquest.com/indexinglinkhandler/sng/au/Lindtj$f8rn,+Bernt/$N?accountid=62692
    • https://search.proquest.com/indexingvolumeissuelinkhandler/1436336/PLoS+One/02017Y02Y01$23Feb+2017$3b++Vol.+12+$282$29/12/2?accountid=62692
    • http://www.mdpi.com/journal/antioxidants
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Zhang%2C+Tingting
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Si%2C+Bingwen
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Deng%2C+Kaidong
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Tu%2C+Yan
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Zhou%2C+Chaolong
    • https://onlinelibrary.wiley.com/action/doSearch?ContribAuthorStored=Diao%2C+Qiyu
    • http://www.ahrq.gov/QUAL/nurseshdbk
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off001b3664.bin
ae8210d8fce3ac06fbedaee393febaf327d20731bc409ab70a7eb5ba3734ed60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B3664 26272 bytes
font_01_sfnt_off001b66c9.bin
5628f3a7d4c5de86c83ad800a793619933ac236ae7b2fcaef1f0cdc21fd1a1ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B66C9 43252 bytes
font_02_sfnt_off001bb85f.bin
b43787e43d493ad616d993d538e89958936c18324037095fefcc996235751776		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BB85F 34016 bytes
font_03_sfnt_off001bf04b.bin
580434afff1875036cce0da25f868ba5a576d8d437f6fadef5492ddac7800169		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF04B 47616 bytes
font_04_sfnt_off001c2e8e.bin
d0d26ef7f48d8865294183182d7b465487fbc602653d69a9abb53bf17766111f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C2E8E 20208 bytes
font_05_sfnt_off001c61c4.bin
d798d8b0a774d9f8fc1e4990506ce764537315ea8ecc569cf431c062126c2048		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C61C4 10108 bytes
font_06_sfnt_off001c7ac6.bin
5d8a0cf57bd0103715e10924bb1588e86c4b35faa6340e9bb71cd7ad8603219f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C7AC6 23516 bytes
font_07_cff_off001c9dd5.bin
2bb2201d4af29f518e0125e4a49b81fd3bdb28bd3d3df9e8d3f3a0c77ee36590		 pdf-font-stream PDF embedded font (cff) at offset 0x1C9DD5 236 bytes
font_08_sfnt_off001ca009.bin
93bd3695d0af0e319e970d906a56316be21c5eb6b0c16c5faa85858a0152ddbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CA009 34016 bytes
font_11_sfnt_off001d5339.bin
a4dfa4fce2fa72c07210fbb64fb419abc15728d2668ac9486f01a8a8dfa92ed2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D5339 23644 bytes
font_12_sfnt_off001d6e9a.bin
9d9766d0ec5e3c22392e169d1251047f7e82b5b819cc51734a8853350db732d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D6E9A 55316 bytes
font_13_sfnt_off001db838.bin
4ca34265275109a08aed366ece6bc68d7ed5b0f56c458fd4bfcc650579dd2af1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DB838 23040 bytes
font_14_sfnt_off001dd9ef.bin
0221af48841ebd38a68f1b724be37a714bc0d0166a3449cc4a30a36ee7c3f9b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DD9EF 22548 bytes
font_15_sfnt_off001dfac4.bin
f0d64f7a2100c371408e93950997759eea6ea457adc401a6cbc6d77f2e3396c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DFAC4 26752 bytes
font_16_sfnt_off001e43ba.bin
375f85622b43597f6f6e7b7188ec2880f85763ecff0519ce2cb8a93de320a349		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E43BA 23880 bytes
font_17_sfnt_off001e6803.bin
5cc729045403e93a245cefe681ae6d757360bf292f153560946a55a8c7d54e43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E6803 16124 bytes
font_18_sfnt_off001e8002.bin
fb2faea20b26dcd7c922ab6dc6c9bf921af7bb45b90977931be330b76a1d9e71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E8002 54956 bytes
font_19_sfnt_off001ec8c9.bin
4bc0a448cc493e56f6a60c65bedd16d9aa5431d21ff4c83ab7f56da6eabfe0d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EC8C9 35188 bytes
font_20_sfnt_off001f0575.bin
aea95110b7acaf7aa9b51efdcf319df7896daaa3d4afd6367f58466c0cbf6cd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F0575 32488 bytes
font_21_sfnt_off001f3d0a.bin
34d8c2e8919d15b2d77055420da5bfb4e1c72a9dce27aef5c4a4185763c6dbe1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F3D0A 16856 bytes
font_22_sfnt_off001f69b1.bin
ea04f063963558aab91fefaee2c4a24820bef45bb986ff14287c89359daca938		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F69B1 22168 bytes
font_23_sfnt_off001f899e.bin
9044b44d31aff839c4437f18b1aa65527fcee9b7a1e53a9f8d1d6746e0d06a8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F899E 23160 bytes
font_24_sfnt_off001fcae3.bin
34fc21e6d71e9274b406b43327060a59f895098af14ece0eae63049823d5bbef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FCAE3 61776 bytes
font_25_sfnt_off002025a1.bin
379f908f1c062c5919a679da33b0403e97dfb4dc964fb49b1b96f2aa7fdc7739		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2025A1 17236 bytes
font_27_sfnt_off002077b6.bin
71d06d388e3db4e14965b9e75d1a19cf5669909b5fd855fd749152356bef898b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2077B6 20472 bytes
font_28_sfnt_off00209627.bin
3d3aaa0524310fe67301b9acc767e6012a669b55bf729de91ccd3ab1ed578121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x209627 62296 bytes
font_29_sfnt_off0020f139.bin
25361bbe411cb0db98fed8d7912a77c15f746b84a0b599fe98a59775311f9d16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20F139 43832 bytes
font_30_sfnt_off00213af5.bin
b8801a681441b2b178a4df502c6a6876d8d6f763118c27286bcf8908e9b65c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x213AF5 22680 bytes
font_31_cff_off00215d5a.bin
5b3ad400deb9f8419987054457322027fed63d42b4a889ea5812363b3d4270a2		 pdf-font-stream PDF embedded font (cff) at offset 0x215D5A 10301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.