Malicious PDF — malware analysis report

Static analysis result for SHA-256 504973927fc9581c…

MALICIOUS

PDF

79.8 KB Created: 2021-03-29 04:32:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e26b9211617caf4a7890968a397fee37 SHA-1: aec5b0459ba25812d8854c9477ccf670ff48ff99 SHA-256: 504973927fc9581c28760dd1c8cac043146b0da6959e07f35e9c23950ffa296d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that likely lead to malicious content, as indicated by the ML classifier and ClamAV detection. The document body, though heavily obfuscated, suggests a lure related to educational materials, specifically an "English book of class 11 pdf". The presence of external URIs points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=english+book+of+class+11+pdf
    • https://cdn.sqhk.co/fazejitev/70I3nMR/jumitodedukuwumaj.pdf
    • https://cdn.sqhk.co/fuwunikuneg/cXol5ge/one_shade_custom_notifications_and_quick_settings_download.pdf
    • https://zuzagidebosoxe.weebly.com/uploads/1/3/4/3/134391670/ledalutu-bunubinebu-moxiwizimova.pdf
    • https://static.s123-cdn-static.com/uploads/4408703/normal_5fe01a8bef15e.pdf
    • https://balevowoperat.weebly.com/uploads/1/3/1/3/131397989/861128.pdf
    • https://cdn-cms.f-static.net/uploads/4475375/normal_5fe721a20f539.pdf
    • https://cdn-cms.f-static.net/uploads/4454051/normal_602b56953dd00.pdf
    • https://cdn-cms.f-static.net/uploads/4450728/normal_5fd9536a70386.pdf
    • https://cdn.sqhk.co/pibegufuxova/fYn4hjg/line_official_account_pc_app.pdf
    • https://zabojipenow.weebly.com/uploads/1/3/1/6/131636987/1115332.pdf
    • http://zisezamerares.mygamesonline.org/bioenergetics_and_metabolism.pdf
    • https://cdn.sqhk.co/budatumibowu/jfQ0yji/speedometer_repair_kit.pdf
    • https://vujezogovi.weebly.com/uploads/1/3/5/3/135348950/nerupal.pdf
    • https://boriduleloson.weebly.com/uploads/1/3/4/0/134012687/finojulodowa.pdf
    • http://maporirunigis.22web.org/senamikarusidukofu.pdf
    • http://zumigiguba.22web.org/what_do_the_shining_twins_say.pdf
    • https://tekujutiwud.weebly.com/uploads/1/3/4/2/134234893/dikoruravukop.pdf
    • http://wurogutevifo.iblogger.org/new_ps2_emulator_for_android_2018.pdf
    • https://static.s123-cdn-static.com/uploads/4468571/normal_5fca254086db5.pdf
    • https://cdn.sqhk.co/kifukuvitog/glOie8I/best_mountain_bike_pedals_under_50.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://vamanufa.rf.gd/nigovuzizepefeligutuxosu.pdf
    • http://tuxodubikanirod.atwebpages.com/47141299542.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaea.bin
4600f89ce63367023bf216c305b633f00d5efbc8b77dc59cb039ac5264e17e4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAEA 5536 bytes
font_01_sfnt_off0000fdca.bin
64a68cd4b6b31a1279f513541a799b11ff586548155bfa3ca71193f82980f1b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDCA 10720 bytes
font_02_sfnt_off0001228c.bin
5a24017c02c7ed8788f6197929651080a7a66b32a8f7708dad187b951c3c0ff3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1228C 3960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.