Malicious PDF — malware analysis report

Static analysis result for SHA-256 34f1845417967f52…

MALICIOUS

PDF

82.6 KB Created: 2021-03-22 08:21:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1f0397b36e404648fc805c125435610f SHA-1: b84aea7778f7caae77e83b82878a61aefbe41f2e SHA-256: 34f1845417967f52fe6da0dcdbef741d364b019cf2c1f6e6d0b8ea12899a290a
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. It contains a fake CAPTCHA heuristic, suggesting a social engineering lure to trick the user into interacting with the document. The document also contains numerous external links, including one pointing to 'resalured.ru', which is likely part of a link farm or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=apk+need+for+speed+underground+2
    • http://xutiwavu.iblogger.org/book_folding_tutorial_easy.pdf
    • https://guxumexowe.weebly.com/uploads/1/3/3/9/133999944/3632192.pdf
    • https://sobuxiba.weebly.com/uploads/1/3/4/8/134867950/7945419.pdf
    • https://nudiwosesi.weebly.com/uploads/1/3/4/3/134317077/fejiwowitogogel_tedugodado.pdf
    • https://feditesar.weebly.com/uploads/1/3/1/4/131483001/kasejajokuvaz_vujetejakato_nizozimabafigak.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c4cd0dbc-23d7-4f11-b65f-2561cec8abe5.filesusr.com/ugd/516793_1d9a5736ac5a477a94b4db23879e2e4e.pdf?index=true
    • http://zamamow.epizy.com/99954684371.pdf
    • https://c2093f15-f4fb-4bda-9582-db5404103fa6.filesusr.com/ugd/b28561_4708d335e7ca470a847bd2e4a01ac750.pdf?index=true
    • https://7f58a6d3-5723-489e-a2bd-17fd91e1ddd5.filesusr.com/ugd/655495_1d6a044e0dec4151acc8f5b8bff5891a.pdf?index=true
    • https://ef733714-782c-48ea-8991-1bc0bf0c95f2.filesusr.com/ugd/ad2ade_77b017816bbd4ff699380c55ce2e187a.pdf?index=true
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_94d0c6be64d84aa6bd4739ec78bb3562.pdf?index=true
    • https://901c4554-6fda-40bf-8344-1f1538f5dc06.filesusr.com/ugd/a76634_b8cd12897e75466a9fef98448c58aabb.pdf?index=true
    • https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_566f4aefdcb5438580feccdc4a59978d.pdf?index=true
    • https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_10558f516b324e46a0a1a807435af080.pdf?index=true
    • https://eb40363d-1d1f-4170-a897-f23f0f433116.filesusr.com/ugd/2a1429_7b0563fd15844b97999b0cc7809726d9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed55.bin
833521698b322e9c6d74504ba2d1058079ebbfa125217986708955599ed5cbc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED55 5152 bytes
font_01_sfnt_off0000fefd.bin
86975d58325658a4b34612e45dde53edbb062fe5f38a5f626a9c677af217122b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEFD 11920 bytes
font_02_sfnt_off00012636.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12636 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.