Malicious PDF — malware analysis report

Static analysis result for SHA-256 41d8d791830f5dca…

MALICIOUS

PDF

149.7 KB Created: 2021-03-12 02:46:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d85c83ca9c285394754bd4e2f2e03f01 SHA-1: 2eaa8e19a7d6423a290ad431a40fc9ad4dcff9be SHA-256: 41d8d791830f5dcaf7bfbf1df62d7bc63fc96d0da9c28362a09c788b32ee75bb
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains embedded URLs, one of which, 'https://resalured.ru/123?utm_term=allan+quatermain+sinhala+pdf', is a primary indicator of malicious activity. The presence of a heuristic indicating a visual download button further supports the phishing lure attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=allan+quatermain+sinhala+pdf
    • http://xatamekele.iblogger.org/smell_like_chloroform_means.pdf
    • http://healthit.space/jejewolowaabee.pdf
    • http://marketop.club/butaxiladatatefuvebujopij200ma.pdf
    • http://logmeinnow.xyz/business_english_vocabulary_quiz1rqst.pdf
    • http://net-klientov.ru/does_inkscape_work_with_ipadhpu62.pdf
    • http://vsedlyatebya.xyz/wepesaxajefadaxrqii0.pdf
    • http://shoop-fp.ru/frases_de_100_aos_de_soledad_macondosk6lf.pdf
    • http://duwadomet.22web.org/baskerville_italic_font_free.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bb4ee809-a058-4166-8a8c-d8b25eed356d/mokaru.pdf
    • http://fufolisokoja.rf.gd/duzexalubasozowuv.pdf
    • https://4bd9ed84-c80b-4837-bb2f-b1353ebfd8aa.filesusr.com/ugd/5a1791_05f134fbac3a4d3b9fcffce80d50abdb.pdf?index=true
    • http://sejugejamojido.epizy.com/samsung_bd_j5700.pdf
    • https://d56a38bf-d62e-453c-9b5b-5b2fe88aea46.filesusr.com/ugd/359e64_d684f258c79d4bcfa651cefbf19f7ff5.pdf?index=true
    • https://3c8197b3-f999-4f29-b3da-fbdfea3dbf34.filesusr.com/ugd/0047a4_b152e01c90dc457ca85e8c610a5ae226.pdf?index=true
    • https://b064d0e4-88d6-4b7e-8087-8ebf790fcba6.filesusr.com/ugd/ca32a8_8b8f4f945ad94c9fb303b3feeb257ce9.pdf?index=true
    • https://48b7024d-7414-4593-b44d-ed892b96ad15.filesusr.com/ugd/3e5db3_a3c96a55a8be4d7fa1b41b03a75770f5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a9456d31-7eb2-4f9a-ad07-a702fa7ae8c4/linksys_ea2700_password_setup.pdf
    • https://a6047d18-b57f-4fdc-88fa-dea7715a8642.filesusr.com/ugd/189347_8444c45091b34cdfbec5247657f98dc5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e5bca6ac-1369-4602-8e64-d390d046e015/el_nombre_de_la_rosa_pelicula_personajes_principales.pdf
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_3cceb6a9fb0c4442939cf611ddd14448.pdf?index=true
    • http://kujafugakare.epizy.com/84145991518.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000216bb.bin
22f8d3188e75a241d2b958f79100cfd984c16ef83297b84fd54744e59199b2e8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x216BB 27728 bytes
font_00_sfnt_off00014b5b.bin
80462c738829d807314dddd7c884b14429e11aeb3d7957afa74cc4872c4740db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B5B 5396 bytes
font_01_sfnt_off00015d88.bin
5914127903482c630f4477e0da4fbc914d666f1132455225396f5d79be1b53e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D88 17692 bytes
font_02_sfnt_off00019009.bin
800c5d7ee0eea5a1c2ad07d3a0022e582417c7f753e6be7cf511f30dca436019		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19009 39984 bytes
font_03_sfnt_off0001e767.bin
ff6cf0378cae14be2094afb6ed89a92a3a8b17f911954161ea4f4f1d80dd1643		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E767 15192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.