Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b9a32c7a80a9a92…

MALICIOUS

PDF

81.1 KB Created: 2021-04-04 05:56:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 3a98854e4639c823b60855709fee52b0 SHA-1: 536eef29e1449c8022480b7012271f8dece3fcb4 SHA-256: 3b9a32c7a80a9a92fa6945bfe11c0e6247fe5d030c56e6e618fca44105fdbb10
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains a large number of external links, suggesting it is part of a link farm or SEO spam operation. The primary external URL observed is https://bologen.ru/wix?keyword=love+letter+to+husband+during+hard+times, which is likely used to direct users to malicious content or phishing sites. No scripts were extracted, but the PDF structure and link farm behavior indicate a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=love+letter+to+husband+during+hard+times PDF link annotation
    • https://sufimademum.weebly.com/uploads/1/3/4/2/134236216/d664db41aadb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4503035/normal_60351cb8908b9.pdfIn PDF document text
    • https://livaruzurakit.weebly.com/uploads/1/3/4/4/134432061/9c3fe.pdfIn PDF document text
    • https://mewaxoraveju.weebly.com/uploads/1/3/4/8/134897470/dilunoxik.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409826/normal_5ffd5901653e1.pdfIn PDF document text
    • https://bogezemobazuv.weebly.com/uploads/1/3/1/8/131856224/fipidadajo-walasazizixebir-budakeko-migigagaj.pdfIn PDF document text
    • https://tapizijivuvol.weebly.com/uploads/1/3/2/6/132696465/dafapedutowaxu_xetajojuw.pdfIn PDF document text
    • https://delezebewokumod.weebly.com/uploads/1/3/0/7/130776218/jemumuratolu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4346c87f-e621-408d-8a81-4cbd29864514/how_to_reset_harbor_breeze_remote_with_dip_switches.pdfIn PDF document text
    • https://84bd2c60-91d0-47b6-9565-6ae8a6593e58.filesusr.com/ugd/963627_c127ecfd0bbb49b385a9c78d580bb608.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/07cde2bc-eb93-496c-bb04-749452b5905e/5995100140.pdfIn PDF document text
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_4baca880c8c8417c8eaf602e64cd6d9b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad587b29-c5d1-4d9b-a4f3-8aa82b843649/2005_honda_rancher_350_carburetor_rebuild.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f814dfa6-2b80-4c07-85c3-921b3d34e34f/bufiwatifu.pdfIn PDF document text
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_5086ec0f3827475fae09737bd468c3e3.pdf?index=trueIn PDF document text
    • https://0dc5fd1c-b354-4e5b-9ccd-45395e8994ed.filesusr.com/ugd/f79e8d_c2577d51b42f4f9fa197aba4b42c1c42.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7792beb6-95a4-483c-a3e1-a5bfa049c60e/charity_pick_up_used_furniture.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a229a4eb-aba0-443e-bc83-a2e93403303a/ti-84_plus_c_silver_edition_charger_best_buy.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/948d70d2-36c9-4a15-99fb-660ec3e62275/explain_what_is_meant_by_urban_areas_create_heat_islands.pdfIn PDF document text
    • https://e6676b24-921d-4f57-8fca-beda98688f3c.filesusr.com/ugd/144d27_6095d8377d5f44058663614ea1f4e745.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed46f708-8000-49d8-888d-5d98e0be6394/kodupepuziwozuwu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5f0f621-4dc2-4cab-b6d9-5e1342fde103/pivopawaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/006129e7-a5b1-4306-a924-3850c34d3fbb/oracle_12c_installation_on_linux_sap.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fef0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEF0 5380 bytes
SHA-256: ad12252474ea585f51125b461046af7111f28499a911689298f07c9fd8821763
font_01_sfnt_off00011115.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11115 11536 bytes
SHA-256: 19974ecb3ed50a158e977fa43eb91fd6ac7be7991f847af14d75d234e7d927d0

Open this report in the interactive analyzer, or submit your own file for analysis.