Malicious PDF — malware analysis report

Static analysis result for SHA-256 a90bbc05c565eee0…

MALICIOUS

PDF

78.5 KB Created: 2021-03-30 22:29:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d08ccadc08f22cd05cec6b7e29b60ae SHA-1: 26c7673180732e98acc838d6bf66842c93c50793 SHA-256: a90bbc05c565eee0e501fd7392ce56f5eb39bd8b9c1351ef5a636f80e410b945
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document flagged by ClamAV as a phishing trojan. It contains multiple embedded URLs, one of which, 'https://bologen.ru/wix?keyword=google+drive+midsommar+mp4', is directly associated with a heuristic firing for an external URI. The ML classifier also strongly indicates maliciousness. The document body is heavily obfuscated, preventing a clear understanding of its direct lure, but the presence of numerous suspicious URLs suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=google+drive+midsommar+mp4
    • http://creditscoretracking.info/kenmore_70_series_dryer_manuallju92.pdf
    • http://meetsol.xyz/78056684927ec2wc.pdf
    • http://itagreen.fun/avengers_movies_in_tamil_hdkmtmh.pdf
    • http://es50off.pro/68566000650m7s33.pdf
    • https://cdn-cms.f-static.net/uploads/4421050/normal_6063169c81dbb.pdf
    • http://idealica-italy.site/23910696851nxw93.pdf
    • http://lessonsonline.site/beps_action_plan_13r46n5.pdf
    • http://particulier-societegenerale.xyz/off_balance_sheet_liabilities_meaning878u8.pdf
    • http://reznitskygallery.com/t-fal_safe_2_pressure_cooker_gasketkurio.pdf
    • http://kartaidatodemeleri.com/734228419927tet0.pdf
    • https://cdn-cms.f-static.net/uploads/4444095/normal_603b394a06f7a.pdf
    • http://datingdate.site/78790042425jme6b.pdf
    • http://lnstagram-blue-ticks.com/54650997177ol6wp.pdf
    • http://garderob-podolsk.ru/30480123036jxxob.pdf
    • https://cdn-cms.f-static.net/uploads/4473637/normal_6044f7d7aa8bd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/676d57d6-d564-49e2-b39a-219b99ae7d1f/why_cant_i_log_into_my_dish_account.pdf
    • https://uploads.strikinglycdn.com/files/fab50040-521e-486a-8cb0-dbc96c46881e/how_long_should_baby_nurse_once_milk_comes_in.pdf
    • https://uploads.strikinglycdn.com/files/29e2bacf-f6a1-44d8-b569-9ba403d291df/gefosexizubipudal.pdf
    • https://uploads.strikinglycdn.com/files/bba1d874-a924-4aea-89aa-992c423d3eef/hp_laserjet_cp1215_printing_double_images.pdf
    • https://uploads.strikinglycdn.com/files/15fa60fd-0b01-4c27-a427-a350387e67d2/fivijilapi.pdf
    • https://uploads.strikinglycdn.com/files/66fd05d6-b144-4ef1-bf5e-01d0eb2e4b1a/6411911906.pdf
    • https://uploads.strikinglycdn.com/files/82733293-a902-4c78-8d55-38e6771beae0/pdp_faceoff_xbox_one_controller_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3b6.bin
b9dbb9553fff4a3a7ba6df9526b19fab7c2a8492303e2be25c7bb9c46bc8802a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3B6 5460 bytes
font_01_sfnt_off00010642.bin
60bad50246acacfa1ed54c1a7b2269cf31cb6935e79ae276a56b25e6ea3a5f7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10642 10900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.