Malicious PDF — malware analysis report

Static analysis result for SHA-256 0340c29819d860d7…

MALICIOUS

PDF

89.1 KB Created: 2021-04-08 09:10:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ee208678c0da087330b5be09b5f7e92 SHA-1: 84519ec14c1bd3eb80f9e57f57363bb6ad0e5fa9 SHA-256: 0340c29819d860d76bef97812337ad8780754b62a8cf2dc013141d6a68cfe9c7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains a mass external link farm, with many URLs pointing to other PDF documents. The document body suggests it is an online application form, aligning with a phishing or malware lure. The presence of numerous external links, including one to 'botokaw.ru', indicates an attempt to redirect the user to malicious content. ClamAV also detected this file as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=65th+bpsc+online+application+form
    • https://cdn.sqhk.co/fabozesemi/hawirgq/temaxopetomebelokivo.pdf
    • http://xepewifub.mygamesonline.org/kutumuromunawawubu.pdf
    • https://cdn.sqhk.co/dogilijesiwu/idHjjOT/fabusotibapexu.pdf
    • https://cdn-cms.f-static.net/uploads/4422163/normal_606da725d1312.pdf
    • https://cdn.sqhk.co/jupujezaxa/dijeiiD/negadibobiwab.pdf
    • https://cdn.sqhk.co/wixikinotu/ahhWXRy/78106766875.pdf
    • http://zokazurimila.mygamesonline.org/18625067342.pdf
    • https://cdn-cms.f-static.net/uploads/4387709/normal_6019509e77275.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://c504e2ef-f928-4e80-b5b1-fc05046f432e.filesusr.com/ugd/247f25_5a5421fea4864d37b93824aacb860ec4.pdf?index=true
    • http://zogadawedalifap.onlinewebshop.net/37268273906.pdf
    • https://66c7139a-03c0-45fe-98d3-e817d1e01442.filesusr.com/ugd/de2db5_277eb20a91894aceba738214b80b84cd.pdf?index=true
    • https://a529afa0-707c-494d-9cee-e9df2360aa12.filesusr.com/ugd/a6e48a_43b4865ac0a5417ca9549a10047f428b.pdf?index=true
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_d1f65ea407bb4d02a17e861de3761c39.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_1d6b74774e8f4785b0182d4b37b44db7.pdf?index=true
    • https://2489a575-72f7-492f-b117-28cfe4a4d2a3.filesusr.com/ugd/d81705_03b906f8e3bc46a38ef143a70fd2aad5.pdf?index=true
    • https://d03ec42c-8b93-48d3-a61e-9aee396c0db4.filesusr.com/ugd/1e557c_c4a66e54769a491290615853c0b590c9.pdf?index=true
    • https://7ef7ebf0-bcb0-4ca2-8538-5a19c3e9f01c.filesusr.com/ugd/aff7ca_b5778fdf45e442dc8f2611bb05de9651.pdf?index=true
    • https://c0771fee-1ba5-4dbf-bba5-a775c3d44c03.filesusr.com/ugd/544e7e_dca655edba4943d695adc513b9e55369.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101c1.bin
e09de4523a3ae089fc6937566c00bb58d5f68d9c144edc70ca58dafceba62c36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101C1 5576 bytes
font_01_sfnt_off00011492.bin
95d17d75a11fa72e0c0aaae09b675bd35d06abc3ab6d56308244df78541381c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11492 10740 bytes
font_02_sfnt_off00013988.bin
307f40e779cba5ece8cb758418619bff4f37361c680bf236ca116abc96ed0268		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13988 8764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.