Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0e521b0535660b4…

MALICIOUS

PDF

88.5 KB Created: 2021-03-24 05:00:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: dfa5e2437dd96554882c931118175ae0 SHA-1: 3ef1325ae447fc9a9ea01448e0e0ae6273b6f580 SHA-256: e0e521b0535660b478f1410b2b85ea8a00eaa04ac9f7d8b130e62647575020ba
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for a phishing trojan. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO spam operation. The primary malicious URL identified is resalured.ru, which is likely used to redirect users to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=charbroil+oilless+fryer+manual PDF link annotation
    • https://nobarolibefo.weebly.com/uploads/1/3/1/4/131407117/jojudogek_ratuxonuwijen.pdfIn PDF document text
    • https://pufabakorulur.weebly.com/uploads/1/3/4/3/134320636/af0ee68f.pdfIn PDF document text
    • https://moraraxewurazi.weebly.com/uploads/1/3/4/0/134042425/aa0788cf37ad539.pdfIn PDF document text
    • https://jesakejijubew.weebly.com/uploads/1/3/4/5/134577011/relegelu_xelof.pdfIn PDF document text
    • https://cdn.sqhk.co/lofujumixas/dHy3Kil/74184301300.pdfIn PDF document text
    • https://kigovedinefetup.weebly.com/uploads/1/3/1/3/131384362/tiruxojudibaforuxita.pdfIn PDF document text
    • https://cdn.sqhk.co/fosojatesog/igorigK/xisofeteku.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_6965fee2162646b593f48292e92f74ea.pdf?index=trueIn PDF document text
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_c73d9167ccab46f2bda4634601a87fe9.pdf?index=trueIn PDF document text
    • https://4eff3ec4-d147-45d1-be73-876d9e1d0019.filesusr.com/ugd/efb3f0_10ec357210f24659b6c653ae9a0fe714.pdf?index=trueIn PDF document text
    • https://bd04a250-715b-4db0-8087-55ec2f714cf5.filesusr.com/ugd/0c2191_c7c7f7aa94604fbf991246c792b79905.pdf?index=trueIn PDF document text
    • https://68a74d12-89ac-4a94-b826-09ad332a30bf.filesusr.com/ugd/1a0392_be137da320894684b98826a141c6c358.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tarajix/taurus_g2c_9mm_holster.pdfIn PDF document text
    • https://s3.amazonaws.com/geraromu/36601000592.pdfIn PDF document text
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_09895775eff441b6ba3a8abbf937c9ae.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001068d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1068D 5156 bytes
SHA-256: ac33adc65923b6a4d1e6eb9893db5d84e53361af2e36996d907fafa4c7070857
font_01_sfnt_off000117ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x117ED 11140 bytes
SHA-256: 945b0ff364598b5c4cac6e5e3f26399027d3f91fd96609cf3f1c0ca4676591e7
font_02_sfnt_off00013df6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13DF6 16060 bytes
SHA-256: 503f5200e83b189a546b6c6e1d808633a9135186956fe76ff9bd78de3d91e3c6