Malicious PDF — malware analysis report

Static analysis result for SHA-256 512f69c8ddb6c1a1…

MALICIOUS

PDF

125.6 KB Created: 2021-04-24 16:25:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 20b955c339026481db814fa0ad837edd SHA-1: 291e16b237a6fa2769c6e2d58a75b78a4a4c0afd SHA-256: 512f69c8ddb6c1a150366146ff832add611e2e543b5d177249033e22c6e424e1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are numeric slugs, suggesting a link farm for SEO manipulation. One of the primary external URIs points to 'bologen.ru', which is likely a malicious domain. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=honeywell+vision+pro+8000+user+manual+pdf
    • https://static.s123-cdn-static.com/uploads/4386849/normal_5ffecefa507b4.pdf
    • https://cdn-cms.f-static.net/uploads/4383295/normal_6016de6615089.pdf
    • https://cdn-cms.f-static.net/uploads/4414682/normal_6027f53cd22b5.pdf
    • https://static.s123-cdn-static.com/uploads/4423715/normal_5fe059891f142.pdf
    • https://cdn-cms.f-static.net/uploads/4459174/normal_60463890abb15.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8e6db25e-0b9c-44ea-883c-d71e13f20010/42367746143.pdf
    • https://6998e30b-c911-4113-ab34-4c15204891c7.filesusr.com/ugd/429b25_c15502792db04442a61b89cc13c49850.pdf?index=true
    • https://14535e1a-360a-4d01-a655-fa33e115c80e.filesusr.com/ugd/b222ea_af05bd904d0c42fd8e745b7f31e1e0e6.pdf?index=true
    • https://3dcfbd4a-ef33-49dc-a04a-0aaf5307c30d.filesusr.com/ugd/b47706_2b2b05ee38f54fecaae1256c1dd9e02e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/699fbb5e-56d2-4fd5-acfc-93f71f2146d5/garmin_nuvi_1390_lifetime_updates.pdf
    • https://d5fd0048-bb8d-45a1-ba21-28d1cb0b7162.filesusr.com/ugd/5e8de6_c7be1148d4b14a3e8a8039e879591b92.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fa8e715d-aa93-4820-ba1f-169ff8be936b/tamiwowuzidoneka.pdf
    • https://c36efdde-2309-4ce2-a10d-b6df2ce12cd8.filesusr.com/ugd/e98059_b0ce74c886304c93893c0a21cada11bc.pdf?index=true
    • https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_8f51a025f5024ceeb027801f60dd1e90.pdf?index=true
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_8222cd69b6024cc4bbedbb6270394a21.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dc4be182-a266-4cf2-842d-7c95477fe826/how_many_calories_should_i_eat_a_day_for_my_age_and_height.pdf
    • https://uploads.strikinglycdn.com/files/9c9ad556-0fee-44d3-bb0b-1f4c9d37114a/53093985057.pdf
    • https://uploads.strikinglycdn.com/files/8caa2be6-39b9-4ebb-a9a4-679a56cac0d4/narusaborogoxuvefabal.pdf
    • https://uploads.strikinglycdn.com/files/b2f44365-2166-4bea-9e4e-e0c85010091f/29007718132.pdf
    • https://uploads.strikinglycdn.com/files/cbed6c5b-0636-4e5f-847e-4037acd874ae/kisutotoleputotezas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001abc4.bin
7e7ac2e2af2cc49d8d4f562243d9e31000d92339ba90a10c96234e9891475c56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ABC4 5736 bytes
font_01_sfnt_off0001bf4e.bin
51fa22cbf214660573ff0ba549c2e9219f2aaaeaa9adb58a90b819e41b082d3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF4E 12260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.