Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0ebef622379379d…

MALICIOUS

PDF

82.5 KB Created: 2021-03-06 05:07:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb2f65f1813364bb3a50665664f6d9cd SHA-1: e5f9e3dc743dcb4ee2fa42577500c49c124864cb SHA-256: f0ebef622379379d83f97c7c10a03dab1a5a500bc4e15f1c3cfcc906a9c96b4e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that mimics a search result, likely intended to trick the user into clicking it. The URL `https://resalured.ru/award?keyword=is+there+a+way+to+do+control+f+on+iphone` is the primary indicator of this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=is+there+a+way+to+do+control+f+on+iphone
    • https://cdn.sqhk.co/lilaxikixo/idEjgzl/dj_loop_pads_2.pdf
    • https://static.s123-cdn-static.com/uploads/4371505/normal_5ffe81701c4db.pdf
    • https://cdn.sqhk.co/rifokinimito/WJhgNN1/little_fox_animal_doctor_download.pdf
    • https://static.s123-cdn-static.com/uploads/4424997/normal_5fcc60f6ac7cd.pdf
    • https://cdn.sqhk.co/bevurokakug/hbcdifK/tiwetale.pdf
    • https://cdn.sqhk.co/vapitinab/jJifOJ8/best_keyboard_design_app.pdf
    • http://world-wild-shop.com/loremunetufirajovowijunabg8od.pdf
    • https://cdn.sqhk.co/xaranoraf/ajeegfO/amazon_a_to_z_guarantee_request.pdf
    • http://eroganoficial.site/3x3_cfop_algorithmsof9uh.pdf
    • http://gerawat.22web.org/best_food_guide_tas.pdf
    • http://fasufigige.iblogger.org/uttarakhand_army_bharti_2019_application_form_date.pdf
    • http://delaem-sami.online/what_is_the_unit_of_enthalpy_change_of_solutionia6fk.pdf
    • http://prizinsta365.online/free_natal_chart_report_online24bzz.pdf
    • https://cdn.sqhk.co/vujagefamig/Tjdrehf/plague_inc_game_parent_review.pdf
    • http://dikerulaba.22web.org/create_steam_account_android.pdf
    • https://cdn.sqhk.co/kimazibo/KhfifgL/lifib.pdf
    • https://cdn-cms.f-static.net/uploads/4458852/normal_6014459ed040f.pdf
    • http://price-list.moscow/loguwafowiduxiwesamaw31.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/43e3f020-c789-43ac-ac54-b14832e94017/32001639517.pdf
    • https://uploads.strikinglycdn.com/files/2e051a8a-22ad-42bd-aea7-ca23d54163b6/lopi_pellet_stove_replacement_parts.pdf
    • http://zerujafulo.rf.gd/kosow.pdf
    • https://uploads.strikinglycdn.com/files/dcb87044-3741-48a3-8b0c-019f649f7558/10195839844.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e31c.bin
af6721c5088e6a9df23e7f9eeab6848a3ed6b0404035dd15910dd1fd0b2055f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE31C 5372 bytes
font_01_sfnt_off0000f571.bin
5aa113a47a5412c163977287f37a788a2769ec0af0d5afc1754f6f2c3ea3e031		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF571 2872 bytes
font_02_sfnt_off00010161.bin
fb31628e2aefccdd47adb6debd5c0c274d615171e61a7db32bc0d390ed2d4026		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10161 10796 bytes
font_03_sfnt_off000125ac.bin
43f18b73c6b83a7361b0f82441ef3583dcb4cea91362d9c0926e05ad0fdd565d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125AC 16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.