Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f16b752477a2ddf…

MALICIOUS

PDF

85.8 KB Created: 2021-05-28 06:05:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 629697f39f7123deb51bc6f6f8dd2754 SHA-1: c4f2e03a2390d710437ad7308f6f9aa4569a3000 SHA-256: 6f16b752477a2ddfbb89ecf78bb1b8104ff9b90c2fd6eb86dd61703519e0a6c2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/123?utm_term=baal+veer+episode+927 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4418379/normal_5fd1c096e6644.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4385636/normal_5fec23023bd9f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412568/normal_602107ef6e5a1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373261/normal_5fdc462e7c9a3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485301/normal_5ffb85e27bc6e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414339/normal_605d641b154d5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365659/normal_604cf3dac8718.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370309/normal_60239f84d373c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451375/normal_6011039dd3dff.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489609/normal_603f136e77b97.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426549/normal_604f3b0282270.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411489/normal_60478dbf7cb33.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/09b52abb-b6b4-4246-af4e-23e5b733f3a7/31309499977.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a143d647-6032-4e54-a40a-fca113af83c4/81919681261.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db765eaf-1146-4e9e-bc21-43770a60d102/libobolafibiwik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e68b1df9-82bd-4dab-920a-b947ae63ea27/how_to_make_money_reading_tarot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66698569-faa0-4222-8675-98e1dfb29f41/dd_5e_phoenix_feather.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c736105-5dc8-42b7-ae80-bd097bcf645a/how_to_remove_rental_history_from_credit_report.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c2c6aa9-d91c-4747-9afd-7d2415eaa945/tipos_de_planes_administrativos_que_existen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8477e38-9125-412e-98b1-a389069aa3b1/famoru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c01b3f9a-5f90-4497-ad09-7598f75384d1/formato_de_minuta_en_blanco_word.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fac613b-be11-4a5a-aa67-79e83004c0c8/how_to_cook_a_roast_in_a_hamilton_beach_roaster_oven.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00011c59.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11C59 18744 bytes
SHA-256: f1f3574e140c1aeded25d95a734e435419e5eb3dec7906563d85de75b9e573cf
font_00_sfnt_off0000dbe5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDBE5 5032 bytes
SHA-256: 282bd49e5c1b4bddad7b0128ed6247881c3b23cccd939bd5385a3baf649802d2
font_01_sfnt_off0000ed0c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED0C 2328 bytes
SHA-256: 2cc1e50f0fd6496c2ab9826068307ce5cc392e2c69d801942a645521020ee041
font_02_sfnt_off0000f781.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF781 10752 bytes
SHA-256: 38a8182b55ca43671994ed302d466b764329882cc42847949868e3578ee78556
font_04_sfnt_off00013991.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13991 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378