Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0d488b9463466f8…

MALICIOUS

PDF

77.3 KB Created: 2021-03-09 19:30:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: c9fa89f93440953256745ccc2d51d62d SHA-1: 141f69177e329c5a28bdb188d42272c86d6d90e9 SHA-256: a0d488b9463466f80ffea5f3b6a0b6f224ea91a5b446e30528b2a45d19bf1397
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO spam or phishing campaigns. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL 'https://bologen.ru/wix?keyword=die+leiden+des+jungen+werther+epoche' suggests a potential redirection or content-luring mechanism, while other links point to PDF files hosted on disposable domains, characteristic of link farms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=die+leiden+des+jungen+werther+epoche PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://a86a6b26-b473-4b55-b9aa-7628a2bff077.filesusr.com/ugd/4f270c_775b94b9df7d49ad9890e64adf2d1112.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/fd16b033-8d39-49db-8207-c0a88242f4ba/48983884134.pdfIn PDF document text
    • https://cd489911-dc6d-4439-b408-84622343fb93.filesusr.com/ugd/d8e941_5b053171dc90497faadc6aee4edaa851.pdf?index=trueIn PDF document text
    • https://a5fc3680-5c08-4cda-bd6c-abaa3bdf25bc.filesusr.com/ugd/ea5d7b_ea346a3eaf3647efb7903e673a204bc3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8fc4c4df-a884-496e-9d02-e5431d53f42c/what_happened_to_bob_ross_son.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e117c47-098d-4444-a6c4-f3dca9690ae0/how_did_lost_end_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d57f488-80a3-4fcc-af7f-e592bc724607/billiards_last_pocket_rules.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d17a1d86-fb8b-4f56-8d60-48d48716bac8/double_cross_rpg.pdfIn PDF document text
    • http://vedumojaje.epizy.com/bowabavisibepulo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9bb6677a-13cf-4c95-bcca-69810d23c5a1/what_are_good_vegetarian_sources_of_protein.pdfIn PDF document text
    • https://97d49ff2-d914-4ae4-8ac8-5e5cf5f77cad.filesusr.com/ugd/6350c7_c3ed68ba2e974fd5a482faeb33f5a895.pdf?index=trueIn PDF document text
    • http://xotepugiz.rf.gd/13803191726.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3b7f2a1-ee9d-4e32-84f1-c69f8a4bb840/digital_marketing_certification_online_india.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a27f33e2-7e7e-424a-86ad-8d4f9da4c70b/26024376145.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/942b94ec-bb14-4279-b765-645d59a1104a/xivekixetetetola.pdfIn PDF document text
    • https://276658a2-c6b1-4a23-bc3b-56c82bce4278.filesusr.com/ugd/f9448a_d91b396e26d0459790b768a8a7e3c13a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/915cb3be-8622-4d9d-91b6-404acba9252f/dibesiloza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42febc1c-da30-4198-aa73-23dba8f65641/79717696905.pdfIn PDF document text
    • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_910ebd1cfd8040e6a36aead58aa3ab88.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efb4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFB4 5292 bytes
SHA-256: 4901626803bd2de991c23322fe3fef65cd59a625b699b7373dfefcc230c4286e
font_01_sfnt_off000101cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101CB 11012 bytes
SHA-256: e832fa005508cbab1ea2a58dd74cb2af58c594c80b61f6a0d7710519bcc9119d