Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c8fd289205b8b20…

MALICIOUS

PDF

69.9 KB Created: 2021-03-16 03:30:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-29
MD5: dd27d6b8ed87d7e94676d7a008e4e7a4 SHA-1: 97f453edcf18b1e9f4f86fc763a6930d7d55f804 SHA-256: 4c8fd289205b8b20a8e7434c385adf47429571caab54a57da2d565316c039a01
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing or trojan. It contains numerous embedded URLs, with one prominent link pointing to 'bologen.ru', suggesting a phishing or content-luring attempt. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using disposable hosting for a large number of links, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=amoeba+sisters+video+recap+biomolecules+answer+key+pdf PDF link annotation
    • https://cdn.sqhk.co/tatakakuwito/SheWm7F/monster_truck_coloring_pages_for_kindergarten.pdfIn PDF document text
    • http://vertitribe.store/science_facts_in_the_bible_ray_comfortcu7ie.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484612/normal_5ff1997fcd5c1.pdfIn PDF document text
    • http://igbusinessabouthelp.com/mejosafesavevazavzy3gp.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374520/normal_5fe5467576614.pdfIn PDF document text
    • https://cdn.sqhk.co/fokofike/bPjhgjg/tedosajafu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425484/normal_604fe3b747885.pdfIn PDF document text
    • https://cdn.sqhk.co/neseleko/jhpUieh/ea_sports_ufc_2_career_mode_tips.pdfIn PDF document text
    • https://wosowabo.weebly.com/uploads/1/3/4/3/134340570/jowajawotifuke-rizefozagag-wasem-tofowumaf.pdfIn PDF document text
    • https://dugufenejoropez.weebly.com/uploads/1/3/0/7/130775504/731cc9735.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4416322/normal_6003bd7dcafdc.pdfIn PDF document text
    • https://cdn.sqhk.co/wefekoferu/9hhgcjf/sekiwimemas.pdfIn PDF document text
    • https://cdn.sqhk.co/zepipawetopi/jfoN8lt/nyan_cat_ear_headphones.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_f4de30f0b6ca44a48a26c1bf71d62ea2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/32defbc5-97c2-4d58-b8bc-26fe91e165c9/2013_jeep_grand_cherokee_laredo_4x4_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/780ab313-d7d8-471e-b1e6-b78756dade26/how_to_inflate_lay_z_spa_st_moritz.pdfIn PDF document text
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_69114658cab74e8397f7d94c8642cac1.pdf?index=trueIn PDF document text
    • https://264cdfe8-48fc-440e-bff3-938583425051.filesusr.com/ugd/cd20dc_f68f924de13a4479a5b9d9787d8a17c8.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a11c28f-3c9b-4968-81f6-3118fe788c9c/71850301592.pdfIn PDF document text
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_024c876b6d1e47d7b7a4c69be2bd96f4.pdf?index=trueIn PDF document text
    • https://7980b0ff-2efe-48f4-a442-6c87bca80713.filesusr.com/ugd/9bd8c3_0e4ae3ff6c504c09b62f014dd0b3d580.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc549049-f77e-48a6-b5b7-858653bf7346/zazujefanaxo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d320.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD320 5748 bytes
SHA-256: 51b83345e56b43c91c0d49a9fa298caaaf6f145d259158d777cdeca3f6e0f184
font_01_sfnt_off0000e6b9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6B9 10112 bytes
SHA-256: b924bffc81105d6708a7f8ee4ee19c63dbd8bd78393e7a48c49950e324518b70