Malicious PDF — malware analysis report

Static analysis result for SHA-256 48201ab43e5e702a…

MALICIOUS

PDF

84.5 KB Created: 2021-04-06 16:16:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5b68a8774ae9008996758cac3b5feb5 SHA-1: 967e667e89bc6058f662821f8426cff31897d6dc SHA-256: 48201ab43e5e702a359e5e2a1b4687899b39b56098e11e14f6f920362899b3ef
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL `https://resalured.ru/strik?utm_term=wd+my+cloud+os+5+update` suggests a phishing attempt related to software updates. While no scripts were explicitly extracted, the PDF structure and the presence of external URLs point towards a phishing or credential harvesting attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=wd+my+cloud+os+5+update
    • http://rekijiwowak.scienceontheweb.net/mofakalaneguvo.pdf
    • http://miwewumexurigan.sportsontheweb.net/71135566055.pdf
    • http://tulomodev.getenjoyment.net/30234692844.pdf
    • http://nefuwumimo.iblogger.org/how_much_does_it_cost_to_fix_ipod_nano_screen.pdf
    • http://movizopolu.medianewsonline.com/pexedexabewakaxejuwawuju.pdf
    • http://tawaguf.scienceontheweb.net/how_to_tune_cobra_29_ltd_classic.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3bec9b41-ca8f-46fa-84b0-32203cc1f833/dakawixosinuti.pdf
    • https://uploads.strikinglycdn.com/files/64909077-9296-4e04-8a4d-66cfefa98bc1/74253498508.pdf
    • http://pulilidason.epizy.com/98689438060.pdf
    • http://fumexilali.rf.gd/81748634765.pdf
    • https://s3.amazonaws.com/minabiwa/narejeropajemizi.pdf
    • http://tukutuxobolekub.epizy.com/nasarineduzapisu.pdf
    • https://s3.amazonaws.com/jovekus/what_are_the_wild_dogs_in_australia_called.pdf
    • https://s3.amazonaws.com/muxozuvalubi/how_many_names_in_vishnu_sahasranamam.pdf
    • https://s3.amazonaws.com/toliwudalamem/179039143.pdf
    • https://s3.amazonaws.com/mejobu/movies_now_apk.pdf
    • https://s3.amazonaws.com/doxifuba/comptia_a_certification_all-in-one_for_dummies.pdf
    • https://uploads.strikinglycdn.com/files/abfcd056-626c-404e-8142-91d3eee3c906/75881435372.pdf
    • https://s3.amazonaws.com/lawakux/27442388003.pdf
    • https://uploads.strikinglycdn.com/files/57a7e353-ebee-406c-a4de-1f2564d21215/18119521398.pdf
    • http://mobukug.myartsonline.com/advocacy_definition.pdf
    • https://uploads.strikinglycdn.com/files/11ad10fb-4b6a-4271-b517-4117d2d3b5d4/bissell_powerclean_powerbrush_pet_carpet_cleaner_parts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f45c.bin
960f9f0ba0002865676d0ce98466511bb303fc51a1aeccbf5d454592331ad6e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF45C 5360 bytes
font_01_sfnt_off000106a4.bin
c1293874af42caac23331c9fa328228c2f4a9a0af1fd90d0ba50f8896f23bbd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106A4 12184 bytes
font_02_sfnt_off00012ee2.bin
31aa257675234f953cb39254c73a0c002637764ec2691c470e0912636c3685cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE2 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.