Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b7ee6db56ad4c29…

MALICIOUS

PDF

108.0 KB Created: 2021-03-22 05:32:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2713df119752e059e512d9a1ea276995 SHA-1: 9a0ca6d910a3a0e21afe34b09dc1d92275f0681c SHA-256: 6b7ee6db56ad4c2935ba907689a3cbc6170cbfc6981941794e3587b09b282e87
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a significant number pointing to SEO-optimized PDF farms, suggesting an attempt to manipulate search results or distribute malicious content. One prominent URL, 'https://bologen.ru/wix?keyword=extreme+snowboarding+game+unblocked', appears to be a lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=extreme+snowboarding+game+unblocked
    • https://cdn-cms.f-static.net/uploads/4470678/normal_5fe9c3f6a2520.pdf
    • https://static.s123-cdn-static.com/uploads/4458145/normal_600191287c4f3.pdf
    • https://lewotivegil.weebly.com/uploads/1/3/4/3/134320996/devonetutuzuvava.pdf
    • https://dawemewi.weebly.com/uploads/1/3/4/7/134747996/de90cdb8c4e03b4.pdf
    • https://static.s123-cdn-static.com/uploads/4483388/normal_60052da82df5a.pdf
    • https://polaposegit.weebly.com/uploads/1/3/4/5/134591324/sezuximi-busadimubiv-juzolanavopaj.pdf
    • https://joworuzofoluj.weebly.com/uploads/1/3/2/6/132683209/e34b928.pdf
    • https://deremufirig.weebly.com/uploads/1/3/4/8/134854029/0e8fdca6.pdf
    • https://xesinuvukuwufo.weebly.com/uploads/1/3/0/7/130776104/nusakoviburaw.pdf
    • https://mamonaxerif.weebly.com/uploads/1/3/5/3/135347384/torigexavebat.pdf
    • https://tazuromanuzowo.weebly.com/uploads/1/3/1/6/131636862/a6be1a.pdf
    • https://suxaniwaxunese.weebly.com/uploads/1/3/4/3/134385499/8fc1ddc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sesijesule/acm_icpc_problems.pdf
    • https://43e59f28-96d7-4988-bcd6-55bc25f76e69.filesusr.com/ugd/372bdc_18a31a14b0744208a8f085c1161443af.pdf?index=true
    • https://460eb545-5389-4aa9-9e78-d1074a8bca0c.filesusr.com/ugd/21a131_2a8daf40a8ef40388d07da7f104ead81.pdf?index=true
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_f02e8ecf6cee4a33be343bd8e77f9716.pdf?index=true
    • https://156bb51f-0b62-477f-88ca-8620af00812b.filesusr.com/ugd/e3ff21_c6e6c5c9a3df405e8e882c3eacc92e55.pdf?index=true
    • https://s3.amazonaws.com/nonipesikiri/feeding_guide_for_6_month_old_baby.pdf
    • https://01c19f78-c7d0-441a-b56a-8672493f87de.filesusr.com/ugd/9d66c7_ccfdec568a174fea99816fb823853465.pdf?index=true
    • https://cbb9655c-b60d-4095-8c1c-bb5f9a2903c5.filesusr.com/ugd/4dd980_b96e43841bba400daadc6ac4f6963cbb.pdf?index=true
    • https://47e244ab-6b1f-4ae7-97e8-86de5b619f9f.filesusr.com/ugd/e1d12c_48cbbadd723444719b59eff26f056e54.pdf?index=true
    • https://s3.amazonaws.com/novifamigot/75188743816.pdf
    • https://1b15a19f-c8c2-4d9d-8c2f-e97aa7ecfe2c.filesusr.com/ugd/eb6c48_5ac335be1834465890dc47679d40257b.pdf?index=true
    • https://s3.amazonaws.com/gezejoputiwinu/zeguge.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015b3c.bin
525982f1d28f4a28b16951271f2b66eb7279fc50f11575f8e7a998d3be15c8e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B3C 2912 bytes
font_01_sfnt_off00016597.bin
c6b1bf619f6e5541667c6918222fef22c2600fba07739d75c83e94df00dadec3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16597 5580 bytes
font_02_sfnt_off000178a0.bin
0aebd49d9104ae4d0aac17db3bcd636d7eef6bf8bccd1b77ed3797bae8388c74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178A0 12000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.