Malicious PDF — malware analysis report

Static analysis result for SHA-256 d01cde3931162643…

MALICIOUS

PDF

87.3 KB Created: 2021-03-17 16:41:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6d93cba8b5c07d57be3ba02ccba8525 SHA-1: c8e583cc7051964675e74fee7b1fda79ef00a6b0 SHA-256: d01cde39311626437ddddd7bd683bfb653fe36be34516d14f97d3b3b475ac9a9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. It contains a large number of external links, many of which point to potentially malicious or SEO-driven content, with a primary suspicious URL being https://bologen.ru/wix?keyword=ace+fishing+cheats+2020. The PDF structure and embedded content suggest an attempt to disguise malicious links within a seemingly benign document, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=ace+fishing+cheats+2020
    • https://static.s123-cdn-static.com/uploads/4416143/normal_5ffd50ae09a6b.pdf
    • http://moneyindia.site/colin_kaepernick_pro_football_hall_of_fame2t2jk.pdf
    • https://xibomuwupipufa.weebly.com/uploads/1/3/5/3/135389044/wugoxawixed.pdf
    • https://static.s123-cdn-static.com/uploads/4414688/normal_60081a96593da.pdf
    • https://static.s123-cdn-static.com/uploads/4414335/normal_5fcb02192156f.pdf
    • https://nepagezefo.weebly.com/uploads/1/3/4/4/134472827/susividumawedex.pdf
    • https://static.s123-cdn-static.com/uploads/4382779/normal_5fd08abebbfa6.pdf
    • http://mkr-olimp.info/29120996582c7wzq.pdf
    • https://tosoremekik.weebly.com/uploads/1/3/4/7/134771766/75242fe45989.pdf
    • https://nabolonoroxene.weebly.com/uploads/1/3/4/3/134373159/9403786.pdf
    • https://dejuxowiku.weebly.com/uploads/1/3/0/7/130738850/kutoperozefad.pdf
    • http://podarokinsta365.site/statics_and_mechanics_of_materials_chapter_3_solutionsosps8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://uploads.strikinglycdn.com/files/7f1d8337-5e35-4b54-a20a-47285c01e81a/36890210472.pdf
    • https://uploads.strikinglycdn.com/files/1333e3e7-34e2-4193-9259-5b949ddb3a94/how_to_get_rid_of_water_bumps_in_mouth.pdf
    • https://05e27880-d5e1-4d3d-8428-ba943e9300bc.filesusr.com/ugd/b56239_7abb4353f4624a9082a8f0990b2b17eb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/033d094b-5ba3-4ef8-95b8-39f54d3bb2d9/famalisajubikaxinad.pdf
    • https://uploads.strikinglycdn.com/files/796d179e-75e3-4308-83da-98e609cbabe9/pawixuninupoxotupewaf.pdf
    • https://uploads.strikinglycdn.com/files/b41a6a7b-f3c4-4cbb-8fe1-aa75ba6ce0a0/bolonoruzulegudujisoki.pdf
    • https://5e446c31-fcb6-4427-a178-91ee45bbff8b.filesusr.com/ugd/4e76b8_67e429f978524d3d9bdd4197080350a0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cc7bcdf1-2a39-4306-be79-19f22ee86cd4/noputiwapeviforuwigo.pdf
    • https://67dc9804-4028-4298-afd7-d431d2c16fe6.filesusr.com/ugd/559c84_29869b4ce2cb4490a0eab0663439a423.pdf?index=true
    • https://7a3463bf-3117-47cc-940f-ad9d50d05675.filesusr.com/ugd/9f2514_723daeb0d3a94f97831b9d21c860ecb8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4bc72480-2af9-45ba-99d8-44ad8c0aca77/1186274611.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb52.bin
8432f634ae7a1abe4954a30c095aca804996331ef895df2aea3518fe6d34d0ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB52 5280 bytes
font_01_sfnt_off00010d47.bin
7e39cf7fef5c67ae390f226bc4373f1f866918aab74b5234915a9255310d8eb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D47 9160 bytes
font_02_sfnt_off00012712.bin
0090805ae8821e304477b380f2c18964b58b8033640eb0745f0e202274ffcf57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12712 11492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.