Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9c6f49457286acd…

MALICIOUS

PDF

82.7 KB Created: 2021-03-28 21:50:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de1126152a1bbb090e1d1ecec3a24008 SHA-1: 7ce5c256d9989a0cd3519fabf85d8fbfbf57ed7d SHA-256: a9c6f49457286acde5f080bd975c3270c6eab3d7dc79464497823a24b7dc6515
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document's content is designed to trick users into installing malicious software by posing as a necessary browser update or extension. The embedded URL 'https://bologen.ru/wix?keyword=macys+apk+gratis' likely serves as a download source for the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=macys+apk+gratis
    • http://tuwedoviwe.iblogger.org/nathaniel_bassey_music.pdf
    • http://latuha.com/cambridge_igcse_chemistry_revision_guide_roger_norrisuks52.pdf
    • http://wonamesavap.iblogger.org/stock_certificate_template_free.pdf
    • http://getliterate.online/75485003074r66h1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1fa6493a-783c-43d0-a041-757255bb6d15/75748114087.pdf
    • https://uploads.strikinglycdn.com/files/2a962d64-fa1b-42b2-86ee-a1617abbea9f/somejugelibelisibapum.pdf
    • https://uploads.strikinglycdn.com/files/50986a28-56af-45ee-971f-df3d868ad9f2/lupeperesutogavukizavarub.pdf
    • http://gebutetivifupa.epizy.com/merriam_webster_dictionary_for_computer.pdf
    • https://uploads.strikinglycdn.com/files/7caa60cb-1968-4772-b26a-fdd0976670f3/the_cask_of_amontillado_questions_commonlit_answers.pdf
    • https://uploads.strikinglycdn.com/files/af934c65-379a-4d7a-9f3d-bedf5fecfcb9/26259733425.pdf
    • http://kasupetaderimit.rf.gd/microcanonical_canonical_and_grand_canonical_ensembles.pdf
    • https://uploads.strikinglycdn.com/files/6d4d0e3a-ea14-4379-a76f-65078dc682ab/mamidijafelinudinon.pdf
    • http://jejevad.rf.gd/26518186146.pdf
    • http://zifelibuvofaz.epizy.com/scielo_que_es.pdf
    • http://zikogaled.rf.gd/kupimukapuzoxuwomolenat.pdf
    • http://mowesod.epizy.com/5779318481.pdf
    • http://pejemevogoge.myartsonline.com/bioenergy_production.pdf
    • https://uploads.strikinglycdn.com/files/05418be1-8d38-4a8b-8285-de67c63839db/83096504865.pdf
    • https://uploads.strikinglycdn.com/files/cf60d0d2-6d21-4dcd-8df4-d4b5c833d464/9785985946.pdf
    • http://bexopikirekide.rf.gd/75275073871.pdf
    • https://uploads.strikinglycdn.com/files/dbbaa248-95cc-4d39-9b97-70e1740991f1/dofowetujapad.pdf
    • http://dogiwexor.myartsonline.com/introduction_to_geological_structures_and_maps.pdf
    • https://uploads.strikinglycdn.com/files/d320b2a8-3e8e-4487-9bb4-15d9d71705e2/xujetu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec1d.bin
f15fc17d0d8e6136b8a1d7697491ee45764e1e05fd41df30afbe1c34b6592883		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC1D 5240 bytes
font_01_sfnt_off0000fe1a.bin
c2f0e72ace2e901b2c5a39781edae5abd0f11bd3ba65256ad1cb906050e72243		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE1A 12220 bytes
font_02_sfnt_off00012675.bin
e5458d7b6d82539349b17fc4713a17e1381d471255c72d9f8116b7c86e08c443		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12675 16168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.