Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c1a56837096e615…

MALICIOUS

PDF

77.7 KB Created: 2021-03-18 11:58:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae17a2defb7dfb68d7c76838ea7926b3 SHA-1: f1639615279d35828e40de44041d85130518d3c4 SHA-256: 1c1a56837096e615eeab26122051ed882ee7af06c64da7adf143995a090bdf1e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The file contains a large number of external links, indicative of a link farm or SEO spam tactic, with one primary URL being https://bologen.ru/award?keyword=beauty+box+corporal+pdf. The presence of embedded JavaScript, though not explicitly detailed, combined with the phishing and trojan detection, suggests the document is designed to exploit vulnerabilities or trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=beauty+box+corporal+pdf
    • https://cdn.sqhk.co/seponidozit/hcggihC/63209753275.pdf
    • https://cdn.sqhk.co/xasakeza/ajbiiDx/zanotasesenoparusuxobi.pdf
    • http://rukakev.iblogger.org/isc2_sscp_study_guide.pdf
    • http://jimefat.22web.org/81368761519.pdf
    • http://balonedud.iblogger.org/juki_sewing_machine_parts_book.pdf
    • https://cdn.sqhk.co/luvuxokam/ghRjagc/29366618602.pdf
    • https://cdn.sqhk.co/bojodunaluko/eGEyTjf/printer_3d_laser_cnc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://piserujirabubam.epizy.com/crank_books_in_order.pdf
    • http://kibululugavi.epizy.com/ammonification_and_nitrification.pdf
    • https://748e6e98-33e2-4bd1-95aa-01ea3505a154.filesusr.com/ugd/704f6c_e39531f99b80471eaabf9a7a58f8a72c.pdf?index=true
    • https://8d6920c1-aef5-45ed-b1a0-e693d63948fb.filesusr.com/ugd/0a593f_cd8c01e8b54d4c1d937a24e222d68e16.pdf?index=true
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_f2ac7fb02a784d3c81718e9117bf2d4a.pdf?index=true
    • https://4de1274e-a26b-4e71-a0d1-d86f0cfee7ee.filesusr.com/ugd/ee4d88_42c089086a9a4a8aaa9d0d65adacf90a.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_83e7af53add246f4849d206f63319068.pdf?index=true
    • https://79d86aa2-23c4-4aa0-a0dc-c16ac59ae55d.filesusr.com/ugd/ecb701_409c07972d034b01b5bb92b5264dfd23.pdf?index=true
    • http://xigoraviwa.epizy.com/berliner_platz_1_vk.pdf
    • https://caa91486-5fcc-43b7-8b2b-5b817ae85bbe.filesusr.com/ugd/26bbcf_f7e5ac2501144912b976ddf27cb4ee74.pdf?index=true
    • https://ce55c564-0e79-48ac-bd91-a034cff8554b.filesusr.com/ugd/bd1fc0_f4658c4e9b04416dabf222b8e6bec0ed.pdf?index=true
    • http://niginikixino.epizy.com/ssh_secure_shell_free.pdf
    • http://suvalon.rf.gd/laxupemixetakosiv.pdf
    • https://99516632-72ce-40f3-a9a1-a01c91361c65.filesusr.com/ugd/e42c35_eeb857c0c93a48be93d94c9a0603fa03.pdf?index=true
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_106eefbc0eb34624b4f93acfe8bdccc4.pdf?index=true
    • https://510adc33-753b-44c0-977e-8d34da8fcdd4.filesusr.com/ugd/5f4192_5090ffd76cd240c7bdce843b703903c1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d93f.bin
eac22f8a9beaf54d1159a66179fe34c949905ac4d429a64af1588a26aa1c4993		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD93F 5332 bytes
font_01_sfnt_off0000eb76.bin
f910c74cff860f67b3cab2a0348cf7bc2b6620a3f0cb304657fd069281943cd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB76 12292 bytes
font_02_sfnt_off00011326.bin
3088de61ba4d2b01ab234d84e40a42107c4d30a52b1b9bdaf8961d49da71d313		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11326 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.