Malicious PDF — malware analysis report

Static analysis result for SHA-256 814cf00e7dbe71ca…

MALICIOUS

PDF

80.4 KB Created: 2021-03-20 06:54:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43c1b7ad9a297add843ea596a525fc95 SHA-1: 8afd78ea3eeda28383daf6ccedb62f132b9ec0af SHA-256: 814cf00e7dbe71caa5745bd30f9a4b8d94df57b917a3eae7bcad49d51265c646
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, 'resalured.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'Top 10 answers on Quora' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=top+10+answers+on+quora
    • https://suzeziji.weebly.com/uploads/1/3/0/7/130739492/vekiju.pdf
    • https://cdn-cms.f-static.net/uploads/4497688/normal_603d07c7b6c44.pdf
    • https://cdn-cms.f-static.net/uploads/4378152/normal_600fbb987eb96.pdf
    • https://static.s123-cdn-static.com/uploads/4495390/normal_5fedd1736d7a7.pdf
    • https://wabupakiwe.weebly.com/uploads/1/3/6/0/136057256/tevamubebuv-julorizudedirar.pdf
    • https://nuvawusop.weebly.com/uploads/1/3/5/3/135302159/moragoxowe_fuwinuf_tebulatipituno.pdf
    • https://cdn-cms.f-static.net/uploads/4527237/normal_5fe83bbfd2fa0.pdf
    • https://wifevotus.weebly.com/uploads/1/3/4/8/134897576/9830762.pdf
    • http://kubosikavudux.mygamesonline.org/castrol_magnatec_5w_40_a3_b4.pdf
    • http://sozimaxetupow.mywebcommunity.org/21738423132.pdf
    • http://dewisazovuvoxi.mywebcommunity.org/96326739140.pdf
    • http://xasedogamif.mypressonline.com/xuredasunisan.pdf
    • http://tefozunamosolo.iblogger.org/nazexozipejapajidadinozo.pdf
    • https://tadivibudup.weebly.com/uploads/1/3/4/8/134899420/tikepejepuxajidekan.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8a577acc-9dcc-4bc4-8ebf-6c7fc338a12f/epson_workforce_840_printer_cartridges.pdf
    • https://uploads.strikinglycdn.com/files/45f4a2de-b578-43fb-aab2-4a0ef109ba61/how_to_apply_for_food_stamps_in_pa.pdf
    • https://uploads.strikinglycdn.com/files/08ff760e-2606-4abe-971b-abcca07728f3/simos.pdf
    • https://ddb0fe67-a09a-413d-b59a-c21b1dde3186.filesusr.com/ugd/3f0e57_289d96b388f6489fa5918a191ca6e522.pdf?index=true
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_27455b81afba4ea68c8e1ddc5c6f2647.pdf?index=true
    • https://3c4962d9-41f7-4f14-8396-dad57cc8de20.filesusr.com/ugd/a2de88_d1adff9694df49e79c316fc2d6845975.pdf?index=true
    • https://uploads.strikinglycdn.com/files/653c89d1-2375-4774-89f6-8bcc64c8d2b5/is_defending_jacob_true.pdf
    • http://bulanorimene.rf.gd/hautbois_girl_guide_shop.pdf
    • http://lodexizizaki.rf.gd/fasufipusigemivutotasewu.pdf
    • https://uploads.strikinglycdn.com/files/6afe22f5-ebf3-44dc-ab03-830cdf18c3ce/steps_to_learn_python_programming_language.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdeb.bin
38372bb5ea1874abef9bde11258d1ded2fe2c854f8441683866157bc59f4fe57		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDEB 5144 bytes
font_01_sfnt_off00010f95.bin
61107cb57b3663a776c819859aa934fbbaeb09179c7ecc362189644d2444b751		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F95 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.