Malicious PDF — malware analysis report

Static analysis result for SHA-256 64152030f251f047…

MALICIOUS

PDF

76.6 KB Created: 2021-03-27 18:48:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f055ec33d2606b4729e0ea33085cb65e SHA-1: 7aa9242390ad0bbda852672b00b2b8474bc7dfe1 SHA-256: 64152030f251f0471bc7487e339d033c9bdfb60ddce6e7d7180f521c791c132e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, one of which, 'https://resalured.ru/wix?keyword=apk+builder+for+android', appears to be the primary lure, suggesting the document is designed to trick users into downloading or executing further malicious content related to Android application building. The presence of embedded URLs and the nature of the detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=apk+builder+for+android
    • https://cdn-cms.f-static.net/uploads/4477921/normal_604a861059514.pdf
    • http://lnstagramverifiedbadgeservice.com/92513407802frgh9.pdf
    • http://idealicaitalia.website/nitujokanozuwixameno5d4v.pdf
    • http://ighelpcenter.xyz/the_fabulous_furry_freak_brothers5dd9v.pdf
    • https://static.s123-cdn-static.com/uploads/4423714/normal_6006e1b753efb.pdf
    • https://cdn.sqhk.co/xunijejozi/sge0giE/borarokulabubidunogudab.pdf
    • https://cdn-cms.f-static.net/uploads/4384650/normal_5fe60e34c2c55.pdf
    • https://cdn-cms.f-static.net/uploads/4474997/normal_6046b6d11a5c2.pdf
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdf
    • http://bonboxstudio.com/trim_up_the_tree_lyricsr24ay.pdf
    • http://naturfresh.space/72310975626rkfuh.pdf
    • https://static.s123-cdn-static.com/uploads/4501791/normal_5ff5ad1a2606e.pdf
    • https://cdn-cms.f-static.net/uploads/4376126/normal_600c9ea19de13.pdf
    • https://cdn-cms.f-static.net/uploads/4374532/normal_60115553d5bb4.pdf
    • https://cdn.sqhk.co/fasotaluvose/S9cK3hb/medieval_times_life_in_a_castle.pdf
    • https://cdn.sqhk.co/felolavap/sicO738/name_this_song_siri.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://doctora.club/85214205999wlgxk.pdf
    • http://yatvoyya.fun/bipolar_junction_transistor_experiment_reportq06w5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/fazujo/vidmate_apk_install_uptodown.pdf
    • https://s3.amazonaws.com/gekojulog/breviarios_fce.pdf
    • https://s3.amazonaws.com/vudivuzakal/roseville_college_year_10_formal.pdf
    • https://s3.amazonaws.com/zifozujiwi/45938303300.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ceb6.bin
8dc72b11d606377802eb7167748cdf91fd41479e7993dec33d29e34e7b539819		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCEB6 4852 bytes
font_01_sfnt_off0000df28.bin
f271277bc92c8ec255f016eb89af31946ace6cee13b85d2ca72bafc089855a25		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF28 3024 bytes
font_02_sfnt_off0000ea5c.bin
e9290b51250c6ac95b7e0f7e75a5f42b6f7fda6de19d3dbe608184a06c02453f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA5C 15908 bytes
font_03_sfnt_off0001152f.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1152F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.