Malicious PDF — malware analysis report

Static analysis result for SHA-256 21e73c45ed91e3cd…

MALICIOUS

PDF

73.1 KB Created: 2021-03-25 04:07:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed9983d3c6275ce5a0a444a3871deba7 SHA-1: 7e12c59d0c3fd53ecc969440eb716b3f97510970 SHA-256: 21e73c45ed91e3cd144691c8bfbaf1a79ed077ee5bc29a242d0626f3213d1a3b
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. One of the embedded URIs, 'https://bologen.ru/award?keyword=converter+pdf+em+word+i+love', suggests a lure related to file conversion. The presence of 'powershell_free_download.pdf' and related URLs in the document text, along with a high ML classifier score and ClamAV detection, strongly indicates malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=converter+pdf+em+word+i+love
    • http://ukrinsure.com/dyson_cinetic_big_ball_animal_upright_vacuum_cleaner2tsi0.pdf
    • http://naturagrush.space/city_of_cartersville_police_reportsb6vuz.pdf
    • http://laribij.scienceontheweb.net/34450770071.pdf
    • http://lulopoboxefon.scienceontheweb.net/tulewuzodejewo.pdf
    • http://naturagrush.space/city_o
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/86429979-d1ab-43f9-930d-a1d1470dd30f/motafanagimanaveta.pdf
    • https://s3.amazonaws.com/kufazete/54049189041.pdf
    • https://uploads.strikinglycdn.com/files/a145edc0-043f-427a-b0f6-f0ee5d0c90bd/44783356015.pdf
    • https://39c3e2ba-dcb8-4bc0-9ed7-0058f02c59d5.filesusr.com/ugd/fd4c29_9e304b7e7afa44d0b6e2b379574297ef.pdf?index=true
    • https://ddd59a73-be73-4575-bd7b-2e5900175f8b.filesusr.com/ugd/5dc0ef_e6a2da2a98f1434d99013cc6638fbb4b.pdf?index=true
    • https://s3.amazonaws.com/simujix/eu4_asturias_guide.pdf
    • https://uploads.strikinglycdn.com/files/93b07b21-2a34-4567-a499-99498f66e5ba/mevefefokuxon.pdf
    • https://uploads.strikinglycdn.com/files/d4f8214d-c563-4e2a-8d1c-49d1c2e2d523/calories_in_wendys_breakfast_baconator.pdf
    • https://uploads.strikinglycdn.com/files/199618dc-222a-43fe-a342-dd0547ffcbb7/de_que_se_trata_la_obra_la_iliada.pdf
    • https://s3.amazonaws.com/jevopemosod/whistleblower_complaint.pdf
    • https://s3.amazonaws.com/tarajix/windows_powershell_free_download.pdf
    • https://uploads.strikinglycdn.com/files/3453147a-bb03-4221-a1b0-6f33a1fe8613/self-leadership_and_the_one-minute_manager_by_ken_blanchard.pdf
    • https://s3.amazonaws.com/gulapore/69671693922.pdf
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_5e5f49a98ecd4d99a53a81d7c63019bc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e0e72b86-dda9-494d-9270-70715eac7a4b/lisemuwufemilizasovat.pdf
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_e1b9c84982b84a1f96b759e41f5b2000.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2cf8bb73-2765-4814-bf48-439f634c9774/herman_miller_aeron_refurbished_chair.pdf
    • https://uploads.strikinglycdn.com/files/0ad53ac3-8370-4266-b7fa-97b4515d1913/how_to_sew_a_diy_fabric_face_mask_-_free_printable_pattern.pdf
    • http://sabiwilurase.atwebpages.com/tamil_reading_practice_for_beginners.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0c8.bin
f8345c9a9cfd67e7c3d4b534d0a9c926bda943002ceaa2de3872136412374f3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0C8 4856 bytes
font_01_sfnt_off0000f14c.bin
6ab82317f573294eec62e10dec8000513dee06d888f2c888c21be32abfb0d273		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF14C 11108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.