Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f6cbc1b206663fe…

MALICIOUS

PDF

125.7 KB Created: 2021-04-10 11:42:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 2c31e9ec3b19602612c7682087dd22aa SHA-1: ba810495069590fcff8c83377a78b22577c851a5 SHA-256: 0f6cbc1b206663fe44694516826ff3ea8ed365b3fe240177835ced483156c60f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high probability of malicious intent. It contains an embedded URL pointing to 'bologen.ru', which is likely part of a phishing or malware distribution scheme. The document body, though partially corrupted, suggests a lure related to 'how to smoke a brisket', which is a common tactic to disguise malicious content. No scripts were extracted, but the presence of multiple suspicious URLs suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=how+to+smoke+a+brisket+in+the+big+easy PDF link annotation
    • http://mists.space/marketing_planner_job_descriptionze0g8.pdfIn PDF document text
    • http://fresh-ita.fun/kuridikukutotiwupbdct4.pdfIn PDF document text
    • https://cdn.sqhk.co/jomurozop/eidA4ja/fofumofuxutapedowikowenul.pdfIn PDF document text
    • http://famozosivupiwij.sportsontheweb.net/25019073973.pdfIn PDF document text
    • http://abreudesigns.com/is_epic_emr_hard_to_learnmgevd.pdfIn PDF document text
    • https://cdn.sqhk.co/sipebesoxu/gjpcJjg/tozogivubimafoduvoge.pdfIn PDF document text
    • http://fresh-ita.fun/astrokings_space_battles_real-_time_strategy_mmo6nu8x.pdfIn PDF document text
    • http://tokio-2020.fun/gefasuxxydr6.pdfIn PDF document text
    • https://cdn.sqhk.co/wabasenenem/grLiije/retro_game_reviews_youtube.pdfIn PDF document text
    • http://fbcopyright-center.com/remapa21usi.pdfIn PDF document text
    • https://cdn.sqhk.co/gixenako/pJibhg4/tapumojojiletib.pdfIn PDF document text
    • http://gozimudowojuzun.mypressonline.com/czasy_teraniejsze_jzyk_angielski.pdfIn PDF document text
    • http://ipatovaalena.ru/watts_premier_replacement_filter_kiti5ct6.pdfIn PDF document text
    • http://idealicaitalia.website/394785454967z191.pdfIn PDF document text
    • http://moneymaya.site/how_to_get_tv_code_for_samsung_tvszqy1.pdfIn PDF document text
    • http://bit7.top/xunumivam7895q.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/vebogotexaf/elite_dangerous_horizons_combat_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/fixararololu/introduction_to_differential_topology.pdfIn PDF document text
    • https://s3.amazonaws.com/pazerogasarinu/grant_decline_letter_template.pdfIn PDF document text
    • https://s3.amazonaws.com/nevovumowa/star_wars_the_essential_atlas.pdfIn PDF document text
    • https://s3.amazonaws.com/metakibeme/bipubefuja.pdfIn PDF document text
    • https://s3.amazonaws.com/jezekemunidup/hotel_rwanda_questions_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/fekife/nikon_m_223_1-4_review.pdfIn PDF document text
    • https://s3.amazonaws.com/kelukakeb/fondant_baby_shoe_template_free.pdfIn PDF document text
    • http://firiwigisu.atwebpages.com/american_cinematographer_magazine_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/xifabilejilab/maluzuzela.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018852.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18852 5216 bytes
SHA-256: fcc37052b3dfb162cf11b9a3810f123e11f26a40bf3f0e03f89ca7d93b3d9200
font_01_sfnt_off000199ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x199ED 12388 bytes
SHA-256: f3f427bfbd660dd181ff4aee761e989e94c6427b166dd0a2876bf3369e414776
font_02_sfnt_off0001c372.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C372 16244 bytes
SHA-256: 2a86a2fa1d1e53b46191496c64707bc719c518660bffdb32115f09414204d62b
font_03_sfnt_off0001d8ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D8EC 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333