Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a8716142a9023d7…

MALICIOUS

PDF

73.8 KB Created: 2021-05-30 02:42:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 437d42addabae382fa5645d7e610469c SHA-1: c2844ae88014a60066cfdaf3094efdaa935fe493 SHA-256: 1a8716142a9023d79afc69b1a732712890b7999e5ef9dd386828ef305a38fa87
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to documents with numeric or generic slugs, indicating a potential SEO link farm. One of the primary external links, https://botokaw.ru/wb?keyword=poisson%20distribution%20expected%20value%20x%5E2, is flagged as unknown reputation and is likely a malicious redirect or landing page. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wb?keyword=poisson%20distribution%20expected%20value%20x%5E2
    • https://cdn-cms.f-static.net/uploads/4370768/normal_60303e176f3d7.pdf
    • https://cdn-cms.f-static.net/uploads/4461202/normal_5fd2615f195d3.pdf
    • https://matexofetuboso.weebly.com/uploads/1/3/1/4/131453592/fepaka_misulex.pdf
    • https://kifakujokaw.weebly.com/uploads/1/3/4/7/134709271/seseza-tamulavo-duvufolidax-jovolasesefi.pdf
    • https://cdn-cms.f-static.net/uploads/4369936/normal_606ca331ed685.pdf
    • https://zoziwaxixu.weebly.com/uploads/1/3/5/3/135316133/bixofufow-gojida.pdf
    • https://ganipomadajo.weebly.com/uploads/1/3/2/6/132695424/kafupepevepak_vofuponetuxe_birotim.pdf
    • https://womogidukiwu.weebly.com/uploads/1/3/4/8/134873304/2194408.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7f0cb3e0-2783-4110-a142-a9bda0153cec/different_words_british_vs_american.pdf
    • https://uploads.strikinglycdn.com/files/cb916f27-9687-4887-aff0-1bbb9dbed8d9/que_son_las_mezclas_heterogeneas_para_nios.pdf
    • https://uploads.strikinglycdn.com/files/f8c320be-334a-4c60-ae4c-04d307bb4b96/47680424065.pdf
    • https://uploads.strikinglycdn.com/files/b9dcb189-4985-4394-8519-575bd9dc108b/ashrae_fundamentals_handbook_cooling_load_calculation_ed._2001.pdf
    • https://uploads.strikinglycdn.com/files/a18c95b8-b9e4-4673-9263-33b294c64b2d/wizard_leveling_guide_ragnarok_online.pdf
    • https://uploads.strikinglycdn.com/files/2c2119c8-1a13-4a23-bda2-1fc613f4a140/bigolizupapogajonu.pdf
    • https://uploads.strikinglycdn.com/files/f835e8da-456f-4ae7-9638-5fbd5f591e4d/ejercicios_de_matematicas_tercero_de_primaria_sm.pdf
    • https://uploads.strikinglycdn.com/files/c1d46753-8ce0-4316-bdf6-73297200eb19/whirlpool_microwave_model_wmh31017as-0.pdf
    • https://uploads.strikinglycdn.com/files/70e82517-07b0-487a-81b8-8e153e179922/92099586447.pdf
    • https://uploads.strikinglycdn.com/files/7df41034-e84b-40cc-bce5-7225a1a643eb/7335279004.pdf
    • https://uploads.strikinglycdn.com/files/00ca1390-4b10-41c3-bce1-0d1383e3a4d8/seduvewu.pdf
    • https://uploads.strikinglycdn.com/files/b91022dc-b88b-4513-ac96-3f556618f005/wojodavopozuwosaperulu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de95.bin
d835d19be11ccd5064ff05abb1e408c02c5ed10024898316e2b623dc3d952326		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE95 5520 bytes
font_01_sfnt_off0000f170.bin
b5cafef58e14316fe93b6ff00c11828aa4a78cec7a63d81dfee6daf73e794ffc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF170 11824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.