Malicious PDF — malware analysis report

Static analysis result for SHA-256 7509280db8744239…

MALICIOUS

PDF

82.3 KB Created: 2021-04-07 02:44:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80a9294f895ae498e93753be05f42483 SHA-1: 7ea8dd2dbaafd2def471b8f76bfc7f36614c20b9 SHA-256: 7509280db87442392be1d599672806506db6165cba3c047d52aefac7786359b7
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

The sample is a PDF document flagged by ML classifiers and ClamAV as malicious. It contains heuristics indicating social engineering tactics, specifically a 'ClickFix' lure that instructs the user to run a command, and a 'password-protected archive' lure. An external URI, 'https://resalured.ru/wix?keyword=manual+floureon+h264', is present, suggesting a potential download or redirection to a malicious payload. No scripts were extracted, but the combination of social engineering and external URL points to a phishing or downloader attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=manual+floureon+h264
    • https://static.s123-cdn-static.com/uploads/4376621/normal_600758589eb44.pdf
    • http://loveantravel.xyz/leguwawedexupaluvejobuznts3v.pdf
    • https://cdn-cms.f-static.net/uploads/4380883/normal_600a78a7a7598.pdf
    • http://itawegan.space/botatomto6p.pdf
    • http://zefutuwukeras.getenjoyment.net/bogoroditse_devo_satb.pdf
    • http://dommasters.site/24761368178rhetc.pdf
    • https://static.s123-cdn-static.com/uploads/4451760/normal_6006483eb42cd.pdf
    • http://rejorevubirobu.sportsontheweb.net/79929531460.pdf
    • https://static.s123-cdn-static.com/uploads/4371004/normal_6004a4300edcd.pdf
    • https://static.s123-cdn-static.com/uploads/4424645/normal_5ff4e9f8ed25f.pdf
    • https://static.s123-cdn-static.com/uploads/4484103/normal_5fc82b3d0cdf0.pdf
    • http://goodsun.fun/31384208029vjz52.pdf
    • https://static.s123-cdn-static.com/uploads/4417664/normal_5fec5b16680ab.pdf
    • https://cdn-cms.f-static.net/uploads/4458633/normal_60137f6ded6be.pdf
    • http://9gusevshop.website/orlando_nursing_process_theoryfpdbt.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2bde7209-0338-4264-9fa9-ed701bf4eee8/nomesikekiwoxizuso.pdf
    • https://uploads.strikinglycdn.com/files/773443b3-e8e8-49ad-b0a0-549fe6b43ca8/how_to_calculate_the_tds_interest_on_late_payment.pdf
    • http://tuminexozuvino.atwebpages.com/101_email_etiquette.pdf
    • https://s3.amazonaws.com/xuzed/901946639.pdf
    • https://s3.amazonaws.com/luworizesupox/el_cuervo_edgar_allan_poe_descargar.pdf
    • https://s3.amazonaws.com/woxorojero/android_network_media_player_4._2_os.pdf
    • https://uploads.strikinglycdn.com/files/ae97fbdf-4174-4118-be2d-ea3217d8df30/jomunozesewenediki.pdf
    • http://jowosos.myartsonline.com/44898669516.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102e2.bin
9b03b57fdf7bbaee9ab148a1ab7e4fbcc1397c7d86b58883f2bbe44eb87df5a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102E2 5056 bytes
font_01_sfnt_off0001141f.bin
83b866eb1dcee26295e36bd566de6fa56c5b56c02c29f23ee6dd5a5af90b07cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1141F 11932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.