Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ab873e72e0df07e…

MALICIOUS

PDF

83.8 KB Created: 2021-04-07 05:24:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2ea14dbe268f7cabf9fb571d23424076 SHA-1: e2d8005762f99a8cb1c66db3e50d218d2880b0bc SHA-256: 1ab873e72e0df07eae8dfaa4e04ac64661ee44688b8fe03074f274ecd0b0b64d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to 'bologen.ru', which is suspicious and likely part of a phishing or malware distribution scheme. ClamAV detection and ML classification strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=biological+classification+class+11+mcq+pdf+download
    • https://cdn-cms.f-static.net/uploads/4412173/normal_601330179ac5a.pdf
    • https://cdn.sqhk.co/fiwujumejuf/oheBwjd/portable_folder_synchronizer.pdf
    • https://wezogefizu.weebly.com/uploads/1/3/4/2/134234847/3311694.pdf
    • https://cdn.sqhk.co/nivazesoj/gigigjc/download_unicorn_color_by_number_mod_apk.pdf
    • https://cdn.sqhk.co/rasetiwulipu/bu9QULA/horizon_7._8_treadmill_reviews.pdf
    • https://kukurako.weebly.com/uploads/1/3/5/3/135321284/banopuvuwunapat-zejedegego.pdf
    • https://cdn-cms.f-static.net/uploads/4393197/normal_600dc2abb8544.pdf
    • https://cdn.sqhk.co/parikozug/33if8hc/stockpile_stock_trading_investing_made_simple.pdf
    • http://zozavelomidabi.scienceontheweb.net/70570224921.pdf
    • https://cdn-cms.f-static.net/uploads/4418783/normal_6018a9cf1e1c6.pdf
    • https://wudowured.weebly.com/uploads/1/3/0/8/130873715/4184216.pdf
    • https://cdn.sqhk.co/vetukalujir/qEE4geE/femasob.pdf
    • https://cdn-cms.f-static.net/uploads/4412583/normal_606a10ad8b22f.pdf
    • https://static.s123-cdn-static.com/uploads/4372371/normal_5ff92724b9141.pdf
    • https://cdn-cms.f-static.net/uploads/4415543/normal_5fdbcbba65ec5.pdf
    • https://cdn-cms.f-static.net/uploads/4367013/normal_5fe955e89ef76.pdf
    • https://static.s123-cdn-static.com/uploads/4445570/normal_5ff7f42d97ac8.pdf
    • https://static.s123-cdn-static.com/uploads/4366628/normal_5fcced4741f6d.pdf
    • https://cdn-cms.f-static.net/uploads/4369142/normal_5fd667bd1e1cd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_5bb9446edb6841c7b4fb1ab5fdba8c38.pdf?index=true
    • http://dapilejebuvone.atwebpages.com/88139910082.pdf
    • https://2571d5ef-7130-409a-b87d-c3fd18a83f30.filesusr.com/ugd/71fc55_13d9b04a17304f2396ac20db9ae00d0d.pdf?index=true
    • https://786c536d-253b-4a15-94df-129c4693a223.filesusr.com/ugd/1fc311_01f257ab88ab44c4a30a2427f1ea2cd3.pdf?index=true
    • https://728bf1be-24e3-4891-ba98-fedceca1a503.filesusr.com/ugd/3268c8_8fb65d0b915e44fbbb02df3fb551cbf2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000106b3.bin
3e2d89f7b58b98f7805437d334edd951f92f397909ab450455325d3b0ee22cf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106B3 5700 bytes
font_01_sfnt_off00011a2a.bin
19977f5187c55927a7c9c199c6be90d356241b56cabc17ffda187dc5f3091aea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A2A 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.