Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee510817e684d711…

MALICIOUS

PDF

5.80 MB Created: 2018-08-10 00:54:28 -03:00 Authoring application: Sejda 3.2.56 (www.sejda.org) (via 3-Heights(TM) PDF Optimization Shell 4.8.25.2 (http://www.pdf-tools.com))
MD5: 065bf47ba29861e19151902d3c92dea6 SHA-1: 3abb053e6aa6dd64714b699faefc8048fa043d10 SHA-256: ee510817e684d711beb24e2d2ced5aa4c762d5e63b73568e3322e9ca544797d0
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Spearphishing Attachment

The PDF document exhibits characteristics of an advance-fee scam, using language related to lotteries, beneficiaries, prizes, and parcel delivery requirements. The high stream count suggests obfuscation techniques were employed. Several external URLs were extracted, with some flagged as unknown or confirmed benign, but the primary lure is evident in the document's structure and heuristic firings.

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.gtexportal.org/home/
    • http://www.regulomedb.org/
    • http://www.inca.gov.br/conteudo_view.asp?id=322
    • http://www.tabnet.datasus.gov.br/
    • http://www.ufsj.edu.br/recgenlab
    • http://www.pdf-tools.com\
    • https://www.ncbi.nlm.nih.gov/pubmed/28012700
    • http://www.ncbi.nlm.nih.gov/pubmed/?term=de%20Sousa%20SF%5BAuthor%5D&cauthor=true&cauthor_uid=26979257
    • https://www.ncbi.nlm.nih.gov/sra/SRX3350440
    • https://doi.org/10.6084/m9.figshare.5661802
    • https://www.ncbi.nlm.nih.gov/sra/SRX3427716
    • https://doi.org/10.6084/m9.figshare.5661988
    • http://www.nature.com/articles/s41598-018-26623-x
    • https://www.nature.com/articles/s41598-018-26623-x
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Beckenkamp%20A%5BAuthor%5D&cauthor=true&cauthor_uid=26943912
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Davies%20S%5BAuthor%5D&cauthor=true&cauthor_uid=26943912
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Willig%20JB%5BAuthor%5D&cauthor=true&cauthor_uid=26943912
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Buffon%20A%5BAuthor%5D&cauthor=true&cauthor_uid=26943912
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=CD26%2FDPPIV+in+cancer+progression+and+spread
    • http://www.rstudio.com/
    • https://www.nature.com/articles/nrm2822#auth-2
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Rodrigues%20V%5BAuthor%5D&cauthor=true&cauthor_uid=22168464
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Cordeiro-da-Silva%20A%5BAuthor%5D&cauthor=true&cauthor_uid=22168464
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Laforge%20M%5BAuthor%5D&cauthor=true&cauthor_uid=22168464
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Ouaissi%20A%5BAuthor%5D&cauthor=true&cauthor_uid=22168464
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Silvestre%20R%5BAuthor%5D&cauthor=true&cauthor_uid=22168464
    • https://en.wikipedia.org/wiki/Locus_\(genetics\
    • https://en.wikipedia.org/wiki/Gene_expression
    • https://www.ncbi.nlm.nih.gov/pubmed/26555224
    • https://www.ncbi.nlm.nih.gov/pubmed/?term=Kruglyak%20L%5BAuthor%5D&cauthor=true&cauthor_uid=17047685
    • https://www.ncbi.nlm.nih.gov/pubmed/22955616
    • https://www.ncbi.nlm.nih.gov/pubmed/20368146
    • https://www.youtube.com/watch?v=lQBMWRdMFl8

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00012d73.bin
55c477317b5179a577aa936bf59e5a2ac5203f0b27c4607be9ffb6441aacd3c7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12D73 1540700 bytes
stream_038_off0005dafa.bin
1a082fafe5d420c8123947d718731ef97e5e6f9ca8c8606a6a54a9354cdb83ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5DAFA 1540700 bytes
stream_095_off000d30b9.bin
9ee832a866ddb8e791e080981656e43d7b60f55faa145271006eba0164f0caeb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD30B9 6996 bytes
stream_128_off00105b4f.bin
3404a1c8a10a75fd89c92e85cd159ee542b3dcc4e5aed977e717ebaada852419		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x105B4F 1540700 bytes
stream_174_off00167186.bin
2665e4d1c405bad0908ddb9079cfca826b40fbd334191b06f701a5c6c3c0a214		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x167186 1540700 bytes
icc_00_off00011d28.icc
9e3d49aef74009b18086d1e48762b016f156a1d63e3eafb174452a2f22ba2095		 pdf-icc-profile PDF ICC profile at offset 0x11D28 912 bytes
icc_05_off002beee9.icc
0976fe7bc0f118a47c89747cb707c6f76044b48baf670dad811d0514bc2c4214		 pdf-icc-profile PDF ICC profile at offset 0x2BEEE9 416 bytes
icc_06_off002bf033.icc
942e0f66212eb8ad252706559da5007d893d7350652704f8d115d5e6074479d0		 pdf-icc-profile PDF ICC profile at offset 0x2BF033 2576 bytes
icc_08_off00351698.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x351698 3144 bytes
icc_11_off00423cd3.icc
35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6		 pdf-icc-profile PDF ICC profile at offset 0x423CD3 557168 bytes
icc_14_off0054e057.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x54E057 408 bytes
font_00_sfnt_off00001188.bin
afb1800443c2265284abbe82bd91d900b4b6fc81c538dd02cbe09d8ca29e3da7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1188 15608 bytes
font_01_sfnt_off00002f7d.bin
35bd86f501683f796895320e4494ad06764baab9c3c73695dcdc6e9d89e2d63e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F7D 6792 bytes
font_02_sfnt_off0007ccb6.bin
75fda0e9b03f74cc7f5eee5361d2ef3de3d363956bb2802ead13a88af0deb8df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CCB6 5416 bytes
font_03_sfnt_off0007e675.bin
f9f8405cdfc8573a706cd713dfb5b7e7e508c2b5dbde81d524362e788b3de2bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E675 5960 bytes
font_04_sfnt_off0008ac5f.bin
88f532f81a287481bc3f85820a09c97882b26598a6ad55ae429b04a3347e8f21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AC5F 13568 bytes
font_05_sfnt_off000933e8.bin
9aabd9144aa52404080f8d352307b94a8ebca4523f054250e2395fd9a08736bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x933E8 8352 bytes
font_06_sfnt_off0009e06e.bin
1ad0df3b723d9cfa1486ecb4ca4d3e826bff4160ff1daf4f968ef3e1fdd611cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E06E 8656 bytes
font_07_sfnt_off000a2874.bin
998fb252b5be47a1cc9961008174f4c33faf800183b823588958cc8a4080267b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2874 5508 bytes
font_09_sfnt_off000d21d9.bin
099382d28598f8b576b672eb3cb64ce703467a001dce304b0ed7b742c7ab90dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD21D9 3300 bytes
font_11_sfnt_off000d4b7e.bin
1aa19aef6b0edeb4d3f6d06dbeb9fdd9331eff016befb9709d8b5c6e34f351af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4B7E 3912 bytes
font_12_sfnt_off000d60b5.bin
c890d0cc0f36f9eb9b2415cbfdcefbd71efe27e21b19672bccd844316b4ac4ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD60B5 35572 bytes
font_13_sfnt_off000e6455.bin
83f201270cab88c5857aa270d2bc3f73198763ed2406b58739b9740d92bfca40		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6455 20836 bytes
font_14_sfnt_off000e835f.bin
800e5213005c57df0ba77a2c1b49b0be39154c6fb0e64b0fc79b45c7b5ba071c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE835F 23484 bytes
font_15_sfnt_off000ebb8b.bin
3fceb1e249f93a0a77c10f13968dd5a8c242be64522ff354563d231d60993e4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBB8B 11936 bytes
font_16_sfnt_off0014b7c3.bin
fd2cca8b48402f79463b7d4421ecc224d3abf4df3b2e2fa19f1591cbb5222a34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B7C3 7528 bytes
font_17_sfnt_off00190abc.bin
73fa33a022a81d9b0df92ce8f68b1dcd86eb20e912f2c141051d6604792badd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x190ABC 22704 bytes
font_18_sfnt_off00194e7b.bin
527b5108e33e59c7cf79b95a15454ff739ca19c458a400db774c5317be6371a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x194E7B 41980 bytes
font_19_sfnt_off0019ba77.bin
1475beb6efea9afc02c4fcf3a19205ac0e728446ae62b44b7ba000b6e541e788		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19BA77 20016 bytes
font_20_sfnt_off0019f71f.bin
1cf7c1169ac126ab8cb267f29091056e754a19e88ae0a547433531a942f0a82c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19F71F 21244 bytes
font_21_sfnt_off001a36f3.bin
d61dae0bb455f824c07e4429212644c3e129e03d615087898eec143076214a90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A36F3 47556 bytes
font_22_sfnt_off001ab9a4.bin
380cdb0ffdf807eb6b29900f007b67a66e711292fff4e72580d67e103f025dde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AB9A4 12660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.