Malicious PDF — malware analysis report

Static analysis result for SHA-256 36b9c13962ba94cf…

MALICIOUS

PDF

77.1 KB Created: 2021-03-19 17:20:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f881b2c88016ba149df1ba67882b38b1 SHA-1: e59f166d30a732c00de83857b54f7c72c4aef043 SHA-256: 36b9c13962ba94cf1aa048c5e56559dfff917fb2e178b3edb2aaf588e808f689
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1140 Deobfuscate/Decode Files or Information T1071.001 Web Protocols

The sample is a PDF document detected as a phishing trojan by ClamAV and flagged by an ML classifier. The document body, though heavily obfuscated, contains references to 'clash of clans hack no downloading apps', suggesting a lure for users seeking cheats or exploits. The heuristic 'SE_MFA_LURE' indicates the document is designed to harvest credentials or MFA approvals, likely by directing the user to a malicious URL. The embedded URL `https://bologen.ru/wix?keyword=clash+of+clans+hack+no+downloading+apps` is consistent with this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=clash+of+clans+hack+no+downloading+apps
    • https://cdn.sqhk.co/tulovixegoke/cidhbSK/43279462042.pdf
    • https://cdn.sqhk.co/kubepugemaki/ejh1wgd/mountaineering_gear_rental.pdf
    • https://cdn-cms.f-static.net/uploads/4379487/normal_6030543b2be8a.pdf
    • https://cdn.sqhk.co/vusutesilo/piejejc/accordion_menu_html_css_free.pdf
    • http://pulezuxelad.22web.org/mean_median_mode_range_interquartile_range_standard_deviation_calculator.pdf
    • https://cdn-cms.f-static.net/uploads/4445877/normal_605451c00afc1.pdf
    • https://cdn.sqhk.co/salobosemiv/hh2iaij/rewolutojonopifekezo.pdf
    • https://cdn.sqhk.co/dojagomudek/aXmAjgp/67237099368.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lusiwavi.rf.gd/55687325433.pdf
    • https://s3.amazonaws.com/vonusirukete/65231129381.pdf
    • https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_be6780ad557f4d299a75971bdd6ec1fc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b46faa57-a5c2-45af-bf73-077ad5ab2031/84853901787.pdf
    • http://xewepipesu.epizy.com/tejidisafe.pdf
    • https://uploads.strikinglycdn.com/files/45ac9303-f265-4243-8fc7-3387d3c9ece0/76668249934.pdf
    • https://6997f972-013f-4c6f-ac95-4179ba17a557.filesusr.com/ugd/549e1a_aa96c4bf9f2c4212a8eb5f2e5afdef2b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/02b0b50d-b553-4716-a8d3-97b3529333a1/dodge_ram_service_dubai.pdf
    • https://s3.amazonaws.com/zobuwubedak/beaumont_school_sixth_form_absence_line.pdf
    • http://wolodavufaxus.rf.gd/bangla_dj_song_bangla_dj_song.pdf
    • https://d427386d-3434-45d9-8802-370857a594f4.filesusr.com/ugd/accd1f_ce5e558d06414329b0a36191307f1910.pdf?index=true
    • https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_f5bce6d5be274f4b8957baba74cd9362.pdf?index=true
    • https://c2267750-1f6d-4c2f-944a-eb302c7f07d7.filesusr.com/ugd/93971e_3679fb715a4b4b19b899e501e2989799.pdf?index=true
    • https://s3.amazonaws.com/zeworibuzoza/dd_ranger_prestige_classes.pdf
    • https://uploads.strikinglycdn.com/files/a54c46e5-7ef5-4e08-9b6f-e244af9ecbe8/g_shock_watch_sig_meaning.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efb2.bin
91199e9090e2b2a095d772a7e7bf9abecd074bec76962cdc6ef889e7d51a05d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFB2 5384 bytes
font_01_sfnt_off00010213.bin
de6bc3d1c1c75aa7fd9e96f1d785ebf56916936aed7d7340a302d8955bf48ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10213 10808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.