Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b972e0c53a62a4e…

MALICIOUS

PDF

79.9 KB Created: 2021-05-15 20:55:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ab42dde2a292566aec623b3991b35c5 SHA-1: 58e0400c2aa8f5d33bedfacda788bca1ba7bd4d1 SHA-256: 1b972e0c53a62a4eaa6c3d13f6fd3a2815ee6db42cdb0463c7b5e8e35a4d2aa7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The primary malicious URL identified is https://resalured.ru/strik, which is likely used to host or redirect to a malicious payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+to+clean+rainsoft+brine+tank
    • https://sizelomola.weebly.com/uploads/1/3/4/6/134606864/7434214.pdf
    • https://cdn.sqhk.co/mekaxosur/x9JIgiG/juvikub.pdf
    • http://fejavodexata.getenjoyment.net/wupusapadasovafabajagek.pdf
    • https://cdn.sqhk.co/tibakekavero/hgieCjg/58302457576.pdf
    • https://lupemofuxuxutuj.weebly.com/uploads/1/3/1/3/131383332/65540c1d35.pdf
    • https://firulozide.weebly.com/uploads/1/3/0/7/130775295/4c93e.pdf
    • https://cdn.sqhk.co/mugejufunij/achdjex/super_soccer_stars_boston_coaches_page.pdf
    • https://pedogore.weebly.com/uploads/1/3/2/8/132815008/1859465.pdf
    • http://mujoxoluvisukid.getenjoyment.net/traductor_ingles_espaol_gratis_para_descargar.pdf
    • https://vavozeja.weebly.com/uploads/1/3/5/3/135308761/rusimexe_pupuk_kowonogeniwel.pdf
    • https://tanibabinilez.weebly.com/uploads/1/3/4/0/134018029/85ae4640d2.pdf
    • https://cdn.sqhk.co/feketukadoz/hcvgiie/radepokomifeb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://rulamiji.onlinewebshop.net/arithmetic_rakesh_yadav_download.pdf
    • https://b01cffea-7a05-49e8-9781-04202a21c04b.filesusr.com/ugd/d5d855_bf5fc6ace03349f1aacf4f32f4f34ea2.pdf?index=true
    • https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_a8f258d3f1fe4abfb551e535856b4b1e.pdf?index=true
    • http://dajomilot.atwebpages.com/77167215208.pdf
    • https://28f2c00a-638b-45ec-8848-4d649cb6aba9.filesusr.com/ugd/946f28_6111035f3ddb432eb4470730d4aadb80.pdf?index=true
    • https://96ea5dd8-6962-4d57-b29c-fb233a715e3b.filesusr.com/ugd/ac3463_30d11282c83a4777adc062b0f5c8f190.pdf?index=true
    • https://a7193630-a032-4ee2-b136-33837135b76a.filesusr.com/ugd/fac845_b8f5b94f15d54afd9241860139bfd69a.pdf?index=true
    • https://d09251a9-b09e-4077-8ccb-24037f005f7b.filesusr.com/ugd/a6ce17_c96825689d0d4baf959e06bb52341d66.pdf?index=true
    • http://wobadumiravolu.atwebpages.com/enuresis_nocturna.pdf
    • https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_81425eb3d52e400baff28e9b830c0cb0.pdf?index=true
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_b061beba879442cdaff9665a36a3aaa5.pdf?index=true
    • https://189c2d36-84ff-4b81-9465-96c33c1d3b91.filesusr.com/ugd/35ddae_2d03973c1b3a4a6b80840281fa83f98c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000faef.bin
10dca8e55feb6ad0b66cfc9d8f90b0c46103f4fe981c73bf97b2956e317bf3cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAEF 5132 bytes
font_01_sfnt_off00010c88.bin
6253a472ec0d5c6d09a0553b211f20392d0e2d552e26dff24f29dbac228b7b80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C88 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.