Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6837c0933d5e787…

MALICIOUS

PDF

84.6 KB Created: 2021-03-26 10:13:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52cd9e856ef681b34e81acdad331a6cf SHA-1: d0362ff1013ec5b0709149b064d5ee8062872f26 SHA-256: c6837c0933d5e787c4dd9d915b48311d2d216b867e5a12f55d216dd952628378
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL pointing to 'bologen.ru', which is flagged as suspicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware delivery. The document body, though heavily obfuscated, contains text fragments that could be part of a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=bespoke+software+pdf
    • https://static.s123-cdn-static.com/uploads/4385847/normal_5fe4aa39cef32.pdf
    • http://microbladingcertificationdfw.org/at_lp120_cartridge_alignment7qg1p.pdf
    • http://gazedalepi.sportsontheweb.net/1554350272.pdf
    • http://mumaposogataj.22web.org/automobilismo_d_epoca_febbraio_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4372682/normal_5fe83476bccb4.pdf
    • https://javudufopatoka.weebly.com/uploads/1/3/1/6/131606124/zibiponu-mekijivibifeke-ropebebup.pdf
    • http://blognews.top/nudebezewupepem363ic.pdf
    • http://zhigina.ru/quantitative_techniques_for_businessygpkf.pdf
    • https://moluxoket.weebly.com/uploads/1/3/2/6/132682852/karelekemanisew_soralimeneji_kaxajinuvuvizi_bubug.pdf
    • http://medicalpracticementor.com/bikogozakuruwevesoga3vj6c.pdf
    • https://milelujip.weebly.com/uploads/1/3/4/8/134861654/04c55c7d7276e5.pdf
    • http://rajajime.mypressonline.com/ranusokoxukujunutigu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kifesafijupesob.onlinewebshop.net/39856158289.pdf
    • https://s3.amazonaws.com/woneketelak/figurative_language_examples_simile.pdf
    • http://dowafirowelumex.atwebpages.com/aphasia_book_free_download.pdf
    • http://fafovinipola.epizy.com/58207024582.pdf
    • https://s3.amazonaws.com/jifedefujodu/hollywood_movies_2016_list.pdf
    • http://kigaxaxoguwebu.rf.gd/80667143368.pdf
    • http://gujodupilewibo.epizy.com/ramiragazazegosujoseka.pdf
    • http://vevemaj.rf.gd/renaissance_art_and_music_crossword_puzzle_answers.pdf
    • https://s3.amazonaws.com/baxekojojexusol/lefipolirodajik.pdf
    • https://s3.amazonaws.com/zoromexemuzid/nobagodozatuvalap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e99a.bin
ae66d6771c5ce5154123f78d1d8707671ddf4ab65d92f24a94040d7997bf14fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE99A 5208 bytes
font_01_sfnt_off0000fb74.bin
bafcfd1afab53a3f4678d1246fd71a846553f840a222806fad580a24350d2e76		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB74 1892 bytes
font_02_sfnt_off00010492.bin
3dfc10fd5784426235ba068a50a6bbb9dba834e80477b3ec9e89771b91e8dd39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10492 12840 bytes
font_03_sfnt_off00012dee.bin
c9557d91917e40dbb2ce09b7ef560a04a9a832ffe2ebcac6b50408a58351272e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DEE 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.