Malicious PDF — malware analysis report

Static analysis result for SHA-256 0367b6d0153408c4…

MALICIOUS

PDF

91.0 KB Created: 2021-03-29 03:33:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75bcb299b17e7856e4fc40871521964b SHA-1: 4a8a7fe4923cce0042c554c596148c90309d16f9 SHA-256: 0367b6d0153408c477b55273b4b05ea5a6d5a31a34082e050c6a8e7c1fabb2b8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://resalured.ru/wix?keyword=ess+caesars+docagent.net', which is likely a phishing or malware distribution URL. The document body, though heavily obfuscated, contains text fragments that suggest a lure related to 'ess caesars docagent.net'. No scripts were extracted, but the presence of external URLs and the overall detection profile strongly suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=ess+caesars+docagent.net
    • http://tibetterrier.ru/autonomie_du_droit_fiscalvj7v3.pdf
    • http://wupemokabate.scienceontheweb.net/annual_report_template.pdf
    • http://xibawipo.22web.org/20708600426.pdf
    • http://biwedujurar.mywebcommunity.org/lizubawivipebojan.pdf
    • http://sezewadiwun.22web.org/bhagwa_rang_song_dj_video.pdf
    • http://reduslim-buy.site/washington_state_covid_numbersievqk.pdf
    • http://bevamifugidujew.scienceontheweb.net/sistemas_de_almacenamiento_de_datos.pdf
    • http://monubagujizud.mywebcommunity.org/swarm_intelligence_book.pdf
    • https://caesars.docagent.net/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1d78cdce-0032-4a75-b9f1-030f6b068c24.filesusr.com/ugd/32f660_d17a9525b26d42c59cfdc93abbf0fc2d.pdf?index=true
    • https://s3.amazonaws.com/wudibirewuduto/23563586081.pdf
    • http://zijiwaras.onlinewebshop.net/vewiviganufiwawis.pdf
    • http://jejopufopox.rf.gd/ncert_maths_book_class_6_chapter_11_solutions.pdf
    • https://bed1e925-73f7-457c-87ff-53f226988024.filesusr.com/ugd/d4a8ce_1940a4829cf046aca64e2938e5e26476.pdf?index=true
    • http://zutibebasonuf.epizy.com/xolejomogirev.pdf
    • http://menutewewunidov.rf.gd/spring_framework_3._0_5_jar.pdf
    • https://s3.amazonaws.com/daraniwekamidir/how_many_carbs_are_in_a_dunkin_donuts_munchkin.pdf
    • https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_75cdb3ff57b44e10b632db370c88e647.pdf?index=true
    • https://2c8134a4-d865-4da1-8961-c755d7242105.filesusr.com/ugd/6dcf04_83955d48de13456aadba68350f34214b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000111a6.bin
d9ac8447382c72c0084dc33b256e454383e07fb59f309e4951c7efd6d4722f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111A6 4164 bytes
font_01_sfnt_off00012055.bin
0eddcce9cea7d97482f99be0d6462f0bf9433b9cae6c705a54b0ad6879e4d351		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12055 5064 bytes
font_02_sfnt_off000131a5.bin
872b9ebf6dceda6d38f084812bbf2698ad3a1f647230742d0014236829ba7610		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131A5 13612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.