Malicious PDF — malware analysis report

Static analysis result for SHA-256 1619d19400e99863…

MALICIOUS

PDF

79.1 KB Created: 2021-03-27 23:18:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74034fbdd4ea6d17526f94f7ccc00d2c SHA-1: 9978d1218d24c9fa554ea1d0a38d8c4f93a04014 SHA-256: 1619d19400e99863ef60018eb0e6d6c354ea388a88686e838931d7505be87894
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ML classifiers and ClamAV. It contains multiple embedded URLs, with the primary one being 'https://botokaw.ru/123?utm_term=dow+uf+membrane+datasheet', likely intended to redirect the user to a malicious payload. The document body, though heavily obfuscated, suggests a lure related to a 'datasheet'. No scripts were extracted, but the presence of external links and the overall detection profile strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=dow+uf+membrane+datasheet
    • http://wudenufodoroziv.scienceontheweb.net/sql_tutorial_free.pdf
    • http://fasad-dom.site/lurirelufejaresffm.pdf
    • http://disozire.mygamesonline.org/54869689741.pdf
    • http://fetesitomer.mygamesonline.org/mevojobokajepojujaxijuto.pdf
    • https://cdn-cms.f-static.net/uploads/4499999/normal_602dca38d8b93.pdf
    • http://lg-copyright.com/conduction_convection_radiation_evaporation1xix1.pdf
    • http://rumokerejimo.iblogger.org/zujozew.pdf
    • http://kirakexig.mypressonline.com/86195208383.pdf
    • http://simcars.ru/low_battery_live_wallpaper_androidvavvy.pdf
    • http://dobofozepop.mygamesonline.org/66384642464.pdf
    • http://jozipuvuwuzaj.mywebcommunity.org/bread_recipes_book.pdf
    • https://static.s123-cdn-static.com/uploads/4445125/normal_5ff94295b01c3.pdf
    • http://zijozarub.mygamesonline.org/cunningham_anatomy_lower_limb.pdf
    • http://fipupibiveni.iblogger.org/casualty_episode_guide_series_33.pdf
    • https://cdn-cms.f-static.net/uploads/4471240/normal_601ac0bdba140.pdf
    • https://static.s123-cdn-static.com/uploads/4404502/normal_5fe3b5db5f68f.pdf
    • http://sevagawos.getenjoyment.net/96625010823.pdf
    • http://easylearning.space/photoshop_cs6_shortcut_keys_list9beg4.pdf
    • http://belkwigs.com/how_to_get_a_suit_in_gtawbwux.pdf
    • https://cdn-cms.f-static.net/uploads/4461205/normal_604d612e1c1e2.pdf
    • http://zonerokemub.getenjoyment.net/past_simple_regular_verbs_exercises_with_answers.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://nupopagiwagivu.epizy.com/diwezelup.pdf
    • https://434dcbc4-7bd9-40fe-99bf-e102daebf961.filesusr.com/ugd/07ef24_88b39fc1c691411a9dc3ae3a3df91e33.pdf?index=true
    • https://1482387f-61d8-47e1-b538-9b7f1e8b89fb.filesusr.com/ugd/538d67_3a71e76cc0ca4ebb90a6fa0b9332e56a.pdf?index=true
    • https://47e4df30-8702-49a4-8bd5-327e1546ff06.filesusr.com/ugd/379272_8d20590ba1434fd4841fec0b4f5b0423.pdf?index=true
    • http://jazopizebe.atwebpages.com/bokevidolugamasobufu.pdf
    • https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_6ad1204bfccb4c92bb0be896eea0de9d.pdf?index=true
    • http://demunoj.epizy.com/levitukelesenul.pdf
    • https://e1fa5f42-99e8-4965-91ac-c1ed21ee8b7e.filesusr.com/ugd/f34823_b52814ef62554d0c9ff1a8266df12607.pdf?index=true
    • http://zidimuzizofobe.rf.gd/how_do_you_clean_a_keurig_duo_coffee_pot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e722.bin
11222afd70702293934d3a77d8fe0259011489bd9e7a465681d21d9dfe3613a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE722 5180 bytes
font_01_sfnt_off0000f89a.bin
6f84844fd14a363adc6fc32669c22bcf3b7aef46785ab8f0b1520183cb01671d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF89A 11504 bytes
font_02_sfnt_off00011fef.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FEF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.