Malicious PDF — malware analysis report

Static analysis result for SHA-256 9385ad6f094dca29…

MALICIOUS

PDF

87.2 KB Created: 2021-04-08 08:51:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f9093f83927de87009c8cc1d2e0f8777 SHA-1: b50c34545b44d5213ac441bd6f1733b4766c18b9 SHA-256: 9385ad6f094dca29709b829f1014ea2751cf241a69bb8cbd096f63ee9af89187
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, 'resalured.ru', which is likely used to host a phishing page or distribute further malware. The document body, though heavily obfuscated, suggests it is attempting to masquerade as a benign document related to English grammar exercises.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=10+oraciones+afirmativas+en+pasado+simple+con+verbos+regulares+en+ingles
    • https://cdn.sqhk.co/tajiwikiter/jfiadvY/youtube_studio_combine_videos.pdf
    • https://cdn.sqhk.co/vagofedewat/cFheXWX/97760135217.pdf
    • https://cdn.sqhk.co/putuziboki/hfjc8if/trending_videos_on_tiktok_online.pdf
    • https://cdn.sqhk.co/fugolamudara/NAhhihU/27730672849.pdf
    • http://lnstagram-verificationbadgeform.com/64413441073h8873.pdf
    • http://rabiwitijif.medianewsonline.com/24696489462.pdf
    • https://cdn.sqhk.co/mogizilo/jjngdji/ice_cream_vanilla_flavors.pdf
    • http://tujidal.mypressonline.com/academically_adrift.pdf
    • http://allwoman.site/libipenisaworivikazedox73p.pdf
    • http://bexowobiminefi.mywebcommunity.org/apache_poi_xssf_to.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/36745c08-9e57-497b-9faf-39f9f5678083/sarovuzaxiloxufiw.pdf
    • https://uploads.strikinglycdn.com/files/3883ed06-03c5-43c8-8355-982a6e0f2c3c/paint_by_numbers_for_beginners_australia.pdf
    • https://uploads.strikinglycdn.com/files/d29ab589-4cfd-418e-9d43-dbd9ec0550e2/87342774372.pdf
    • https://uploads.strikinglycdn.com/files/dd2c930f-c80f-495c-ae55-fc51f5d4ea2d/what_dow_stocks_are_down_today.pdf
    • https://s3.amazonaws.com/bulujono/22641225315.pdf
    • https://uploads.strikinglycdn.com/files/19ce90e8-3b5c-4ddd-a860-5a0de08612ce/97159015382.pdf
    • https://uploads.strikinglycdn.com/files/713b5ae0-70f8-4e06-b6ab-4a51957bb1a0/1380425029.pdf
    • https://uploads.strikinglycdn.com/files/96f1cac9-ddc4-484a-aed3-6c6539d8748d/42988235298.pdf
    • https://s3.amazonaws.com/simujix/25208345711.pdf
    • https://s3.amazonaws.com/fejakixoweka/us_history_quiz_21.pdf
    • https://s3.amazonaws.com/pibajuwi/seamless_bible_study_answers_week_6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa9b.bin
ffdf985d64be5ec90ad2a38863007e3692b108a3ce8ce8b826280bd02b7bb310		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA9B 5772 bytes
font_01_sfnt_off00010e30.bin
417ace6998b0b1068195cd5658e0c5c4e3c02373df0dfc0eecbcfed429ef7f3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E30 12364 bytes
font_02_sfnt_off00013657.bin
069f5cdcb972b33999f3dc18a3e5b847fc2aa024b7c5b45b4734cedf253a8e5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13657 16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.