Malicious PDF — malware analysis report

Static analysis result for SHA-256 717b8b3e83086b88…

MALICIOUS

PDF

124.3 KB Created: 2021-04-03 13:49:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 969ac159bc9b3c762027f3e8ba4b239d SHA-1: 7b6570b46be2db93798176d7fcaf408f3c7b7c01 SHA-256: 717b8b3e83086b88eef7b3d820aa9b01962ff82872bcdf257c047453597a9994
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'bologen.ru', which is likely used to redirect the user to a malicious site. Although no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=blowin+smoke+chewelah+washington
    • https://cdn.sqhk.co/zulatobi/iBjgkje/pac_boy_game.pdf
    • http://gejedesoni.getenjoyment.net/telugu_panchangam_january_2015.pdf
    • https://cdn-cms.f-static.net/uploads/4472488/normal_5fe938c638187.pdf
    • https://static.s123-cdn-static.com/uploads/4368240/normal_5fe5b75e0cb3a.pdf
    • https://static.s123-cdn-static.com/uploads/4407060/normal_5fddd89ae45e7.pdf
    • https://cdn.sqhk.co/bijilixiger/QEiRihM/rolling_sky_online_free_no_download.pdf
    • https://cdn-cms.f-static.net/uploads/4375361/normal_603c17a8a63d4.pdf
    • https://cdn.sqhk.co/xepubijiko/vZieLib/fufedakorufimolikoxotitiw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://34e2f0dc-0077-42bd-a047-efa2502e92af.filesusr.com/ugd/8a05ec_d7800a37a45e468c91be5c0974647307.pdf?index=true
    • https://7893bdd6-41e4-48f6-9953-3a636dfb5d61.filesusr.com/ugd/c5c63b_c45cb347e25448dabbabffe7f43667f1.pdf?index=true
    • http://segimoto.myartsonline.com/biogas_toilet_system.pdf
    • https://s3.amazonaws.com/zarusegibitumet/mentoring_interview_questions_and_answers.pdf
    • https://05491ccc-77c7-428b-9c25-74f2c6c50d4a.filesusr.com/ugd/d51d36_c6b6bb3eab5b490698ebf6f14016a569.pdf?index=true
    • https://6e229dea-1f83-4be8-8cd3-388eabd4f5e3.filesusr.com/ugd/1cfe37_12cc54b21da2412bb304352c17655c68.pdf?index=true
    • http://nomamazuzut.atwebpages.com/regions_and_provinces_of_the_philippines.pdf
    • https://s3.amazonaws.com/jedaxopopuko/the_motorcycle_diaries_book_buy_online.pdf
    • https://s3.amazonaws.com/fatisake/casio_ga-1000-1adr_g-shock.pdf
    • https://s3.amazonaws.com/selivuvumepaveb/wevaxalowone.pdf
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_2d2608b2c5004cbd8484b25633e87ad3.pdf?index=true
    • https://f8ba888e-8f71-4fde-8303-550399648f4e.filesusr.com/ugd/17ce20_a58cf0593e894f3fa1e76e44d4f1b97e.pdf?index=true
    • https://ac402fee-74f4-49a6-b5a4-6a03c6a057de.filesusr.com/ugd/b0cd75_f994e0c01d7942bc9d72a7c1a7b9dddb.pdf?index=true
    • http://tebaputazaxuva.myartsonline.com/wurikemopetufajekobuzo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a8b8.bin
af3c838cec2bfb51942804d03e9f3c3aba17733f1e3f0c01661a86abea946d09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A8B8 5320 bytes
font_01_sfnt_off0001bac8.bin
f57a096c27e45e941a19703bf7aa51a1f722d33bc5b9c8ed768c63162027782b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BAC8 11468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.