Malicious PDF — malware analysis report

Static analysis result for SHA-256 94c73d45af1b9366…

MALICIOUS

PDF

99.4 KB Created: 2021-03-19 08:35:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 3c2bdb8646f5e1808576ba15f5ed7660 SHA-1: 2a0acbc3f081c839b3c121172d3a07d9dd28b8d5 SHA-256: 94c73d45af1b9366be6d0c244a738580f777be7f780fdbf0236c1ad5f0d27835
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO poisoning attempt. The primary URL, 'https://bologen.ru/award?keyword=8051+assembly+language+programming+in+keil+pdf', is presented as a search result for technical documentation, likely to trick users into visiting a malicious site. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of malicious intent, possibly to download further payloads or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=8051+assembly+language+programming+in+keil+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4409113/normal_5fde73d1733d5.pdfIn PDF document text
    • https://cdn.sqhk.co/letarezetap/CKsihKb/40504930244.pdfIn PDF document text
    • https://sasopezanureje.weebly.com/uploads/1/3/4/6/134691995/nonugorapipasor_gusupamekaze_sebudifa.pdfIn PDF document text
    • https://tokuguzeg.weebly.com/uploads/1/3/4/4/134464653/1992f14b.pdfIn PDF document text
    • https://cdn.sqhk.co/baxijaxazixi/vQ9jhlD/poboy_express_menu_pineville_la.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482009/normal_5fed9bae24a0a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488580/normal_5fd274d0423d4.pdfIn PDF document text
    • https://wizakamulo.weebly.com/uploads/1/3/4/0/134017688/0dfc009.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486363/normal_6044d3950cb4f.pdfIn PDF document text
    • https://cdn.sqhk.co/sejiragidu/yYlzLhj/beer_pong_golf_chipping.pdfIn PDF document text
    • https://cdn.sqhk.co/vomawoko/Bjeiajf/3164599283.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/rawesaragegugar/74632288249.pdfIn PDF document text
    • https://s3.amazonaws.com/lorugipopuxe/gufafefinavek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b2fbdba-7c2f-4609-b569-d56771919c8d/2008_ford_escape_problems_transmission.pdfIn PDF document text
    • https://s3.amazonaws.com/sivanira/69510646921.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0b4badb-d55b-4fd2-aa89-ace29ad453f5/57703550636.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9d1e50d-f235-4a92-a019-c7c513764096/how_to_make_a_marriage_contract.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88d3904c-da21-4fb5-b52c-908a5013b210/traductor_espaol_latin_vox.pdfIn PDF document text
    • https://s3.amazonaws.com/tisegovofu/california_traffic_citations_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1d47c1d5-6c11-4955-acb6-52e4d31d6fe8/sony_hdr-as200v_firmware_update.pdfIn PDF document text
    • https://s3.amazonaws.com/lomuper/tugokajujenatafa.pdfIn PDF document text
    • https://s3.amazonaws.com/jinabom/english_songs_acapella_free.pdfIn PDF document text
    • https://s3.amazonaws.com/vapelurowar/duke_of_edinburgh_award_expedition_report.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ebf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11EBF 4016 bytes
SHA-256: a4703af70ae8dd805919207f761de2e7b5d06f0707e135d4528dc89e58a9d8d4
font_01_sfnt_off00012cec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CEC 6084 bytes
SHA-256: e35ab26fe8e8f6a132aa090b51bdd25a173e9368315dc464c382958a5d857a1b
font_02_sfnt_off00014198.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14198 11612 bytes
SHA-256: 0e01f9be3d530fccc42f482ae698f5411e8c1e28e3e9221bd19a715d6b98e0bf
font_03_sfnt_off000169a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x169A1 16164 bytes
SHA-256: 0646a63a478fe53468b8dbbe05b608d617a04836cde27f490c8d0ce00ae8a9f2