Malicious PDF — malware analysis report

Static analysis result for SHA-256 dec15ea9d5cfe232…

MALICIOUS

PDF

81.8 KB Created: 2021-03-10 13:47:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ffb29592597907fb7d9d739bfaf43f2c SHA-1: e5a357c63ea1f37f10146b16296eaabe054c38db SHA-256: dec15ea9d5cfe23295715bf4dbaa539df3074863f96e714bfcce47cdf74bf0eb
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It impersonates a cloud document lure, likely to trick users into clicking a link to download a payload. The embedded URL `https://bologen.ru/wix?keyword=google+drive+aladdin` is the most suspicious IOC, as other URLs were confirmed benign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=google+drive+aladdin
    • http://gekifek.scienceontheweb.net/198525868.pdf
    • https://static.s123-cdn-static.com/uploads/4461211/normal_5ffc2294ac5da.pdf
    • https://cdn-cms.f-static.net/uploads/4474722/normal_5fda2ca92d8f8.pdf
    • http://bagerisevi.scienceontheweb.net/lidiranudikujufifi.pdf
    • http://tetiviguxawik.getenjoyment.net/karcher_pressure_washer_k2_900_instructions.pdf
    • http://tilosag.mypressonline.com/suntrust_bank_auto_loan_payoff_phone_number.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/widofafane/enron_case_study.pdf
    • https://uploads.strikinglycdn.com/files/432c5e13-cbfc-4617-bc7c-1fc588a31dad/basic_calculus_derivative_rules.pdf
    • https://s3.amazonaws.com/xovajukoxin/51414418673.pdf
    • https://uploads.strikinglycdn.com/files/d320610c-93e8-42ac-83f6-34db82a7bac1/rofatozovipuko.pdf
    • https://s3.amazonaws.com/rubidokezive/kubuxozaburedopev.pdf
    • https://uploads.strikinglycdn.com/files/92e77521-f38a-4997-894c-feeb139dc8a1/pioneer_deh1300mp_clock_set.pdf
    • https://s3.amazonaws.com/gonima/wifi_calling_app_apk.pdf
    • https://uploads.strikinglycdn.com/files/a572764b-06a4-4a1a-b45b-77a677b8a05a/wukixinenifabaludupefi.pdf
    • https://uploads.strikinglycdn.com/files/973d8520-eba4-4655-92a7-ada086020188/dejibumewo.pdf
    • http://dozuxix.myartsonline.com/catching_the_big_fish_summary.pdf
    • https://s3.amazonaws.com/gomaxod/simple_journal_entry_excel_template.pdf
    • https://uploads.strikinglycdn.com/files/42faeca3-925d-4bd8-9cee-46284fe46acb/87826676584.pdf
    • https://s3.amazonaws.com/zarelusipofox/liramoxefaf.pdf
    • https://uploads.strikinglycdn.com/files/10ed9397-da24-4db5-9b7d-e1236fc44ded/rosakuzegivaza.pdf
    • https://s3.amazonaws.com/fuvidokibet/why_my_lg_dual_inverter_ac_is_not_cooling.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f87f.bin
934304dd79369fed95329dc66def50034e569c845f12dcf20fd62252dfec1bae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF87F 4612 bytes
font_01_sfnt_off00010835.bin
e79c8f70c83e3c8daf51c9b6c01d89727aed847ba2d26f5a3deef211f47a5792		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10835 10368 bytes
font_02_sfnt_off00012bbe.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BBE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.