Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c6c8ffd72d762ac…

MALICIOUS

PDF

87.2 KB Created: 2021-03-11 20:51:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7eacf2136c754a2f2ace13156141a208 SHA-1: 1e2cae47df56a534cd1f07be54795f7557bf3b74 SHA-256: 0c6c8ffd72d762ac32aaabd5189d041caf5c6b35125e9b474b1721a1f8ed4782
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to other PDF files, suggesting a link farm or SEO manipulation tactic. One of the embedded URLs, 'https://botokaw.ru/123?utm_term=presentation+phrases+pdf', is particularly suspicious and likely serves as a lure or distribution point.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=presentation+phrases+pdf
    • https://limifotediko.weebly.com/uploads/1/3/5/3/135325738/bunotaxunipinan-pezero.pdf
    • https://cdn-cms.f-static.net/uploads/4422385/normal_602e787857618.pdf
    • https://gadebalemalun.weebly.com/uploads/1/3/4/4/134443756/633b5aab64f344f.pdf
    • https://mologikonazo.weebly.com/uploads/1/3/4/7/134706863/nelulavusezi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_baad4e89f53540edaf593e97807ad2b6.pdf?index=true
    • https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_78ebaaf9d5444dfcb039651de847548d.pdf?index=true
    • https://b6e49935-6d58-4bde-831f-6e0b746776d3.filesusr.com/ugd/7d321f_17cc8a33d1b34aa2bd526cbdc905b6e6.pdf?index=true
    • https://61090d85-22e6-4724-b969-52a17785150c.filesusr.com/ugd/952c2e_ee8dfe6535e948dca8bf80985c74d5cd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/43a2d58d-b121-426e-8f48-8a93d88758db/tomopok.pdf
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_5b9cf8f0959347498d100bf8e6b1966d.pdf?index=true
    • https://f579be4a-c2ec-451d-94ee-532237c06880.filesusr.com/ugd/9f6a24_3d37cc9ef42249fda5241ce827fd26e9.pdf?index=true
    • https://3633ae4e-9acc-45df-885e-1bfa1481cb44.filesusr.com/ugd/e73054_f2e264234a6b4d46a53fd41eb9285369.pdf?index=true
    • https://e590c0d9-b694-44fb-9862-47327b30d8b0.filesusr.com/ugd/89363e_1ea6a4f0f49643d19f562923851746c5.pdf?index=true
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_a05868bb5173493f9a158f21549c0bbd.pdf?index=true
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_e687793cf59c46f7b91940ef9628ba08.pdf?index=true
    • https://uploads.strikinglycdn.com/files/04ac9939-29c0-499d-9a49-6d7bdba29e02/how_to_make_a_pop_fiction_book_cover.pdf
    • https://uploads.strikinglycdn.com/files/ba342543-79ca-4285-af73-ded398be28af/home_speakeasy_bar_ideas.pdf
    • https://9cf93ecd-64ee-4ad6-afcc-f350577a7522.filesusr.com/ugd/c4dbd3_b0dee3e52f4240f5bb8b309e8cdff6d9.pdf?index=true
    • https://a72b158e-cead-41d6-a0b3-8518216316a4.filesusr.com/ugd/35c6e2_a3b0b13d96d6441ebcbcd9e8adc48010.pdf?index=true
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_99e3af5ceb5047708ed57e1fbb91fe85.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000117c1.bin
29ef2cb687211a41da5e07c896fc340fd908d1298571f665229dd9094bf2fa51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117C1 5096 bytes
font_01_sfnt_off0001290f.bin
986e6ba415c384bed25d1cf8707c21cf077244cb44e4323d1bdceb6cc347173c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1290F 11328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.