Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fa85451edb9616e…

MALICIOUS

PDF

90.9 KB Created: 2021-02-06 06:08:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: ee2725b226e4a7256685e99349c2af64 SHA-1: 18a9b9490885186fd65d7a1173ea6764fb630f94 SHA-256: 9fa85451edb9616e7257e88198ea9d661527faaa8d1dfff8dcc508d01e4f2994
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of an embedded URI pointing to 'bologen.ru' suggests an attempt to redirect the user to a potentially harmful site. While no scripts were explicitly extracted, the PDF structure and embedded URLs are commonly used in phishing campaigns to deliver malicious content or redirect users to credential harvesting pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wb?keyword=uniform%20distribution%20cumulative%20density%20function PDF link annotation
    • https://cdn.sqhk.co/worenora/R8CqZgj/23609890179.pdfIn PDF document text
    • http://shop-profildoors.ru/twisted_metal_pc_free9en3f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471230/normal_5fed3dbc2a506.pdfIn PDF document text
    • http://flipping-car.online/60620269067y4ast.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484115/normal_600b47d91a7d2.pdfIn PDF document text
    • https://cdn.sqhk.co/pulobegefuzi/cij6NUW/frases_tumblr_de_amor_propio.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370309/normal_5fd3a9fb4eb18.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464873/normal_601ca23751a40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379846/normal_60173a490f71c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4367950/normal_5fdea20354770.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423728/normal_5ff6b1a4632d6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409095/normal_60032b7c93f79.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/davawina/knights_chronicle_reroll_guide_reddit.pdfIn PDF document text
    • https://s3.amazonaws.com/kodipopujufipig/62624663757.pdfIn PDF document text
    • https://s3.amazonaws.com/forupokisip/lumuxewu.pdfIn PDF document text
    • https://s3.amazonaws.com/rivazixexuguri/learning_excel_2007.pdfIn PDF document text
    • https://s3.amazonaws.com/jepavilutabilel/element_after_effects_plugin_free_mac.pdfIn PDF document text
    • https://s3.amazonaws.com/liguwubore/telecharger_aptoide_apk_pc.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010028.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10028 5460 bytes
SHA-256: 24991e70943eef55d18664458652159c3ad15f4a3e593caac30c63962bfb9aff
font_01_sfnt_off000112b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x112B7 16692 bytes
SHA-256: 43cdeccadc92d40bf3c3ed536113d38bdbd1dacc3fd133917539bbfc51d44618
font_02_sfnt_off000147ac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x147AC 16296 bytes
SHA-256: 878e6d9b759c44da60e2ecad50b675fbaa0f8d6ea9b6d9fe7c5e540410404a3d

Open this report in the interactive analyzer, or submit your own file for analysis.