Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fd97ba2589f2356…

MALICIOUS

PDF

75.6 KB Created: 2021-04-10 00:52:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63f88ddba0b950796f93e49c87c7ece2 SHA-1: 17ad269d6c68f4685410e841548a7777ab04726c SHA-256: 0fd97ba2589f2356c1f37ae7ee2ae34e19b4e220e8857d50e352a7d37a3859dd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, with a high risk score. It contains an embedded URI pointing to 'https://botokaw.ru/strik?utm_term=keurig+k60+parts+list', which is likely a phishing lure or a distribution point for further malicious content. The document body is heavily obfuscated, preventing a clear understanding of its specific content, but the presence of external URLs and the malware detection strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=keurig+k60+parts+list
    • https://fixupikavejezop.weebly.com/uploads/1/3/4/3/134392539/5fe7d8f8d6c3.pdf
    • https://todumubisopid.weebly.com/uploads/1/3/5/3/135312552/fesimot_zosez.pdf
    • https://naxosunibeg.weebly.com/uploads/1/3/4/6/134676516/25e01fe.pdf
    • http://tehnikator.ru/dazavalosowenuvupadefyyg2p.pdf
    • https://kiwiwutirove.weebly.com/uploads/1/3/4/7/134707888/47390b0018dafdf.pdf
    • https://static.s123-cdn-static.com/uploads/4449965/normal_5fdda44fc8788.pdf
    • https://cdn-cms.f-static.net/uploads/4501501/normal_60200a747bdaa.pdf
    • https://cdn-cms.f-static.net/uploads/4384295/normal_600dc34bb5e65.pdf
    • http://rezumitisud.mygamesonline.org/katyusha_piano_sheet.pdf
    • http://damvglaz1.xyz/68567151797cxit.pdf
    • http://viwafuxofiseko.getenjoyment.net/fodakamapawadadamukupuk.pdf
    • http://gazagidumow.mygamesonline.org/92436454514.pdf
    • http://copyrightsupporthelpcenter.com/575808919610hagb.pdf
    • http://befigter.xyz/batman_animated_moviesg1u8j.pdf
    • https://cdn-cms.f-static.net/uploads/4413117/normal_604020d62b6d7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cf2d2294-f3d3-4eed-af6c-701cc245b4d7/what_is_sub_0.pdf
    • https://uploads.strikinglycdn.com/files/1d9dd8a1-0877-4873-b3f8-071313f1f520/star_trek_voyager_threshold_non_canon.pdf
    • https://uploads.strikinglycdn.com/files/97a30142-fda3-435a-9492-04794f842ba0/legotuxugobipoxigesexega.pdf
    • https://uploads.strikinglycdn.com/files/53c825bd-4ace-42e7-8b90-8d20da08b26f/64169772765.pdf
    • https://uploads.strikinglycdn.com/files/d65f80a9-85af-463e-9b2e-adb740f5f81b/how_long_does_it_take_to_get_licensed_for_eyelash_extensions.pdf
    • https://uploads.strikinglycdn.com/files/1eee5831-49f2-4aec-b567-a3b815a790ba/80144395028.pdf
    • https://uploads.strikinglycdn.com/files/cb5a6261-c6f3-42e9-89af-e56fdcd7a421/thank_you_maam_text_dependent_questions_answer_key.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e630.bin
04ffa8c75e343cab34308f5e20b0361bd73b18cc1d696c9776fbe031ada4bf97		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE630 5316 bytes
font_01_sfnt_off0000f857.bin
4c7fc5f51f3f09162b2dd24d839172273cb43968e7ba8940b9932a505f428602		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF857 11588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.