Malicious PDF — malware analysis report

Static analysis result for SHA-256 e08a54d2895b153c…

MALICIOUS

PDF

74.0 KB Created: 2021-06-08 20:25:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 66e35545987fdb80f5c276d9cae6df1b SHA-1: ec8923f616f9bf68b77f4f6b0d1cf40ca665a1de SHA-256: e08a54d2895b153c181401155799c2b83e87c4c68cf94fac8087c6ec4db94c24
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of a PDF_URI heuristic pointing to 'krisoc.ru/pbw' suggests the document is designed to redirect users to a potentially malicious site, likely for phishing or malware distribution. The document body, though heavily obfuscated, contains references to 'Cleo menu apk' and 'wkhtmltopdf', indicating a lure for a specific application, and the PDF_SEO_LINK_FARM heuristic suggests a large number of outbound links, common in SEO spam or phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/pbw?utm_term=cleo+menu+apk PDF link annotation
    • https://bovidekomuburo.weebly.com/uploads/1/3/5/3/135312485/6690623.pdfIn PDF document text
    • https://fukorolavo.weebly.com/uploads/1/3/4/6/134639224/bawovavoj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d93ea801-e1b9-4ffc-a6a6-fa261fe5bc55/69826822258.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c209a72-d399-42df-9105-85d30fed1b65/85137998640.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07f48779-eea1-417e-b700-45fe74e5c9bc/how_much_are_eyelash_extensions_at_a_salon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32cc4960-11cb-4ae9-b889-d03e11e76afb/bukojen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/99742829-b476-44c1-9c7b-161655147d92/nafikawuwe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c07259ff-348e-4300-a128-c39df931a036/41003193885.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c3d29ab-45c5-4c0c-a07c-a9dc2c329ad2/fiddler_on_the_roof_cast_2016.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4c0b58a-30e7-41b7-99b0-cedb16140a23/9412462435.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf480eb4-963a-43e2-bb8f-fe8ca5c09e8f/75956903342.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/693b6519-e195-4fbe-ab46-a8eb459f7b5d/59696063013.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47b86584-a42c-4b2b-9644-d0cf1acd0182/78406885887.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5edca7cf-05dd-42bc-89b2-c8a243792cab/98244972485.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/793e2fe7-6f8d-4bb2-89b6-d72fbacea4d4/what_internal_audit_do.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e85ee603-8bc9-455b-83eb-f2ff625a2817/37198670823.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7C9 4660 bytes
SHA-256: 6e796f7dbc6d61d251003f626fd11004c68e260d9eb00cc3128e0def395bbbf0
font_01_sfnt_off0000f78b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF78B 10652 bytes
SHA-256: 727895a226a3148941aa9ca62ed6f6251b66a113c4016a286618f6d0729443a7