Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d192aa2e1e84dd8…

MALICIOUS

PDF

86.1 KB Created: 2021-05-02 08:42:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b7f3f57ba7f16e865e369e822772cc7 SHA-1: 22537bbf1b8c0dca6cb24f2b81e59f8976d1487b SHA-256: 0d192aa2e1e84dd81110ef74b19161289959711019bc977d0205e463b4c50566
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an external URI pointing to a suspicious domain, 'resalured.ru', which is likely used to host a malicious payload or phishing page. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, potentially masking the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=functional+programming+in+java+interview+questions
    • https://cdn.sqhk.co/tomubozes/dLjiQdN/uk_sec_football_schedule_2020.pdf
    • http://papawugamajube.mygamesonline.org/23152482454.pdf
    • http://noxavikadovul.mypressonline.com/15641560432.pdf
    • https://cdn.sqhk.co/dudugetogi/jb0idif/eye_candy_rotten_tomatoes.pdf
    • http://vexasefagi.scienceontheweb.net/will_there_be_a_5th_eragon_book.pdf
    • http://tonukavugu.mygamesonline.org/autometrica_marzo_2020.pdf
    • http://vexezujuzas.scienceontheweb.net/kolopexuvone.pdf
    • https://cdn.sqhk.co/xizefonuma/y0BigjU/sonic_boom_show_cast.pdf
    • http://nipokaxa.getenjoyment.net/relefebunu.pdf
    • http://zowogusatutojus.mywebcommunity.org/blueant_s4_manual.pdf
    • http://tevubirufizibun.iblogger.org/65967049699.pdf
    • http://fesofiwig.22web.org/lowepukonenipe.pdf
    • http://taxevidel.medianewsonline.com/effects_of_globalisation_on_education_in_zimbabwe.pdf
    • https://cdn.sqhk.co/tivanosox/c06Fhca/monster_energy_supercross_game_review_ign.pdf
    • https://cdn.sqhk.co/zizenozi/I64hihf/polosagowugasamal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/kumasala/scrabble_rules_proper_nouns.pdf
    • https://63dbeab4-18c6-4677-a808-17cd77aec119.filesusr.com/ugd/963d80_9b403ea7eccc452daca1281715c625f0.pdf?index=true
    • http://fadifisevak.epizy.com/39523773413.pdf
    • https://s3.amazonaws.com/fuwuzerijofa/51974065983.pdf
    • https://s3.amazonaws.com/ladiwuzetawedi/gunev.pdf
    • https://98350ace-7ac4-4f38-a9d9-579fdad8050b.filesusr.com/ugd/9b2d9b_6c3982771ea64f94899df5737f06ac8c.pdf?index=true
    • https://s3.amazonaws.com/ligole/85558423662.pdf
    • https://beea745c-e446-4317-9ad8-fe501d584c0a.filesusr.com/ugd/9196db_f26766829638446c843823ef4b1792c3.pdf?index=true
    • https://s3.amazonaws.com/jufowokedunod/guxukemolivu.pdf
    • https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_f2921824f9f542ba944da2614ae8e644.pdf?index=true
    • http://ratazudawi.epizy.com/animals_starting_with_o_fight_list_answers.pdf
    • https://41fe7446-7195-45c8-906d-de5e784989f9.filesusr.com/ugd/e02969_97e7588c9c004cb8a953c45dc39e905f.pdf?index=true
    • http://pikaderobiw.atwebpages.com/acr_form_punjab.pdf
    • http://wafubarig.epizy.com/eagle_tattoo_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001041d.bin
b42bd3013340453b1d889109542d1a26e04e559613f35e01eb88f91e7f5af90d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1041D 5444 bytes
font_01_sfnt_off0001169d.bin
83d70491fd2c727a9d40242772967cd47ec8529fff537b0d37e5cc2a7aab0c42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1169D 11032 bytes
font_02_sfnt_off00013c25.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C25 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.