Malicious PDF — malware analysis report

Static analysis result for SHA-256 21ebead2b62b3660…

MALICIOUS

PDF

104.0 KB Created: 2021-03-28 22:42:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b002ceb4bf886344f5ae7e435faad5de SHA-1: ab8c73a1f89e64a6c252136d6059b96f932c3359 SHA-256: 21ebead2b62b36608706d0b05a36bf74d5b94234c7fbb03165a4daaa66098700
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'resalured.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to technical documentation, which is a common tactic for phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=amplitude+modulation+basics+pdf
    • http://uber-global.com/recumbent_bike_life_fitness_silverline_95ri657hv.pdf
    • https://static.s123-cdn-static.com/uploads/4465145/normal_5ffa378fbe1ad.pdf
    • http://sopidemeleket.mygamesonline.org/36750568861.pdf
    • http://technodom11.com/how_many_gallons_is_a_nordic_hot_tubd8wl4.pdf
    • https://cdn-cms.f-static.net/uploads/4467573/normal_605214b750517.pdf
    • http://prostosite.site/optiplex_7010_usff_specificationsnwz2s.pdf
    • http://kieverts.xyz/58493619185nmiz3.pdf
    • http://nubolats.xyz/848359869179pv56.pdf
    • http://skidki-day.site/drinkwell_platinum_pumpi27ir.pdf
    • http://rmk4sale.xyz/vidas_secas_english_subtitles4novs.pdf
    • http://ehaberdevlet.com/wordly_wise_3000_book_3_answer_keyl0uox.pdf
    • https://static.s123-cdn-static.com/uploads/4475725/normal_5fef3f152872f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cb8582fb-ab29-4f13-bfd4-623ca244ab52.filesusr.com/ugd/d61b30_230f6684ac6b419c8d9611e1335a2ef3.pdf?index=true
    • https://48bd7725-9370-4d18-884e-e75d7b70c9c4.filesusr.com/ugd/f241d9_ed25eb47c377428d9b87c038abc95908.pdf?index=true
    • https://73af689e-4c80-4f62-99d3-7a886641ad81.filesusr.com/ugd/3b5dd9_b3d3172ba6344a6e8335b22bccdb07ea.pdf?index=true
    • http://positajugopisu.myartsonline.com/aletheia_heidegger.pdf
    • http://gurabagoderes.atwebpages.com/karcher_pressure_washer_soap_instructions.pdf
    • https://63aa7d51-6c54-48cc-ac87-b710a0da19c3.filesusr.com/ugd/c8d394_133cc47a24df473c9cb9ab6dd484df2e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a451f86d-da89-4e96-bc9f-09698918c810/43310133529.pdf
    • https://uploads.strikinglycdn.com/files/15d681c1-f68b-4596-9952-7fb64719a404/how_to_change_from_military_time_on_armitron_watch.pdf
    • https://uploads.strikinglycdn.com/files/59bd2684-0051-42f5-87cb-26769a9d30b0/how_to_make_a_resource.cfg_file.pdf
    • http://pekamidakoj.atwebpages.com/bible_quiz_questions_and_answers_from_genesis.pdf
    • https://2e9d2e4a-15d5-4529-8b29-235aceea4e08.filesusr.com/ugd/cac96f_f98dc5f01c2a4df0b4eb6661ff313eb8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001343a.bin
f3598f599e2144cac4198bb834f3dbcf17e33e118ab1fd59afc2eb3879c59842		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1343A 5216 bytes
font_01_sfnt_off000145df.bin
bd3cd0bb295b529d2d49591235dc5543c08bc69b32290370965ffe09352d39e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145DF 12296 bytes
font_02_sfnt_off00016f81.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F81 16036 bytes
font_03_sfnt_off000183ea.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x183EA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.