Malicious PDF — malware analysis report

Static analysis result for SHA-256 f58c7a23498fbe65…

MALICIOUS

PDF

76.4 KB Created: 2021-04-19 22:04:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a71e1a209c41adfcb7facfc07a7453f SHA-1: d28705e92e62b54f4305f0ac92e310dd64922f90 SHA-256: f58c7a23498fbe658b8b01683eb8707c4c4240a27585d16f451320d609b5b9db
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ML classifiers and ClamAV, with a high-severity heuristic indicating an advance-fee scam lure. The document body, though heavily obfuscated, contains references to 'famous writers' and 'american literature', potentially a deceptive pretext. The primary IOC is an external URI pointing to a URL associated with the scam, likely serving as a lure or a redirect to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=20+famous+writers+in+american+literature
    • https://gawugabel.weebly.com/uploads/1/3/4/3/134361726/jozobugumob.pdf
    • https://cdn-cms.f-static.net/uploads/4393911/normal_600d1f267214c.pdf
    • https://cdn-cms.f-static.net/uploads/4445729/normal_5fdb991aa9b30.pdf
    • https://nopuxexej.weebly.com/uploads/1/3/4/4/134498230/309704.pdf
    • http://xepujen.iblogger.org/bagamopodofuwiwowak.pdf
    • https://cdn-cms.f-static.net/uploads/4392210/normal_603bcab6e2447.pdf
    • http://zoxatib.iblogger.org/rubusevosibot.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/regufojalojaza/pdf._cetosis_bovina.pdf
    • https://s3.amazonaws.com/falufusu/how_do_i_love_thee_summary_in_bangla.pdf
    • https://9e2b3e3a-6a02-4d3b-8ba9-5acc01041672.filesusr.com/ugd/66c878_93d1fa091cbe4d1d860a57e3549da490.pdf?index=true
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_4d34cea5c23d4b8da1a30b1e659870f2.pdf?index=true
    • http://kobukapun.epizy.com/c._v_format_for_call_centre_job.pdf
    • http://jejevad.rf.gd/45964416505.pdf
    • http://gijafusatuvaxoj.rf.gd/73575129850.pdf
    • http://fezefujeziged.epizy.com/mabaziniwexolowafafikid.pdf
    • https://s3.amazonaws.com/jasadavebaga/logid.pdf
    • https://1bf92926-22d0-44a1-94fb-b51843c41cd5.filesusr.com/ugd/762c1a_ea96044acfb7463f88854822a041bc30.pdf?index=true
    • https://f7f2eb1f-4ce6-40bf-b337-6bcc2c9c1a95.filesusr.com/ugd/dc6899_2f2d0d1622b24bc399c8f16628ba2aae.pdf?index=true
    • https://s3.amazonaws.com/bisegilupuf/67892199326.pdf
    • https://s3.amazonaws.com/xufaxoferugod/philips_norelco_5000_trimmer_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec8b.bin
d520145ed8c299ca95a59d02a3b8214f89b9e301a0b76a040a8980677ddb1d27		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC8B 5296 bytes
font_01_sfnt_off0000fe8a.bin
e0cfb0f83485bea3c0c55cc6de3f8b01dc2e040f281c4fda056ac7e7d5feec9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE8A 11448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.