Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8c1abb703009c4d…

MALICIOUS

PDF

77.1 KB Created: 2021-03-09 08:41:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9364259835534847bf37ec5a00349165 SHA-1: b83ff908e4631d19ad1dc22f37adb7b7341245f1 SHA-256: e8c1abb703009c4da3336caa4f41895fd49c13f81831a8f31f08e56a90663224
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with heuristics indicating the presence of external URIs. The document body, though heavily obfuscated, suggests a lure related to 'Amar ujala news today pdf'. The primary malicious indicator is the embedded URI pointing to 'https://resalured.ru/123?utm_term=amar+ujala+news+today+pdf', which is likely used to redirect the user to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=amar+ujala+news+today+pdf
    • http://prizinsta24.site/how_to_use_garmin_gpsmap_64st9pkx7.pdf
    • https://cdn.sqhk.co/gutipefu/Ahbgiii/japirewuxenegadolezejaka.pdf
    • http://xilexevu.scienceontheweb.net/38431452052.pdf
    • http://kuzexamipapoxip.medianewsonline.com/joruk.pdf
    • http://mufezupep.iblogger.org/mental_health_intake_assessment_form_template.pdf
    • https://cdn.sqhk.co/parikozug/fAEghMH/vetigadozeru.pdf
    • https://cdn-cms.f-static.net/uploads/4423431/normal_6031ee00cc856.pdf
    • http://letnesil.xyz/28871388820paiq1.pdf
    • http://thefortykuti.com/muxupeemg2b.pdf
    • http://maykistore.ru/i_wish_the_kid_laroi_lyrics_deutsch6h9rp.pdf
    • http://vimabanu.sportsontheweb.net/how_to_say_beautiful_lady_in_jamaican.pdf
    • https://cdn-cms.f-static.net/uploads/4479904/normal_603be01f0ac8c.pdf
    • https://static.s123-cdn-static.com/uploads/4495399/normal_5fc6d74c6b6f9.pdf
    • http://smartycredit.info/49547277583cwwb2.pdf
    • https://cdn.sqhk.co/terodekijur/Rmhevic/86471050635.pdf
    • https://cdn.sqhk.co/xizubutagen/itmhadX/modara.pdf
    • https://cdn-cms.f-static.net/uploads/4493569/normal_5fe735e72866d.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sefowolo.atwebpages.com/7516526961.pdf
    • http://saxodanokijaj.atwebpages.com/horton_hears_a_who_full_movie_in_hindi_dubbed_watch_online.pdf
    • http://gofirog.epizy.com/pevejifegizi.pdf
    • http://zupamifub.rf.gd/5293636572.pdf
    • http://xegiseko.epizy.com/7271291849.pdf
    • http://supuwevul.atwebpages.com/elric_of_melnibone_book_review.pdf
    • http://miviguwi.epizy.com/available_on_ios_and_android_vector.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000e372.bin
d7acb1ea3e0b84370fff4f7e21a3729f0b09544b550b241e0c0086c0eae8e01a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE372 11716 bytes
font_00_sfnt_off0000d0f4.bin
8a42697df8223272226d993bb0841fe3f318236025cb05536e562b399c98759e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0F4 5444 bytes
font_02_sfnt_off00010450.bin
cb5460fe13ecb30f6843fbc36d4c8706840fe2fbe9bc7db6c11f6b1831146608		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10450 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.