Malicious PDF — malware analysis report

Static analysis result for SHA-256 21440e38acecc990…

MALICIOUS

PDF

72.5 KB Created: 2021-03-18 18:53:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4d68a0bf09588008c7657f407810432 SHA-1: d456ca142cbe57d82003f1bf2c3e52f43e614019 SHA-256: 21440e38acecc990e30c3fd991cfcdd55d1addfcbfafd8c0aebfa62178e17196
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as a phishing trojan and by an ML classifier with high confidence. It contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO manipulation tactic. One of the embedded URIs, 'https://botokaw.ru/wix?keyword=microbe+invader+reddit', is likely part of the malicious infrastructure. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=microbe+invader+reddit
    • https://cdn.sqhk.co/gazejuruni/jigdlpQ/bovasisitaliwuz.pdf
    • https://cdn-cms.f-static.net/uploads/4372735/normal_602d2c7b442f7.pdf
    • https://static.s123-cdn-static.com/uploads/4453720/normal_5fcb68ef20f34.pdf
    • https://cdn.sqhk.co/gixenerusivu/geMqVG9/3rd_grade_math_pictograph_worksheets.pdf
    • https://cdn-cms.f-static.net/uploads/4427103/normal_600c195101b60.pdf
    • https://cdn.sqhk.co/vilubofi/ihjxmoj/16080550896.pdf
    • https://cdn.sqhk.co/xaripisi/dmejiCi/reforelelanisexibi.pdf
    • https://cdn-cms.f-static.net/uploads/4387821/normal_600d130de9d6a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b96a2c1a-41d5-4662-9dea-da244165437a/matlab_inbuilt_functions_list.pdf
    • https://uploads.strikinglycdn.com/files/ba511771-7ec9-4514-9324-b21880762983/grounded_theory_in_nursing.pdf
    • https://uploads.strikinglycdn.com/files/1ff4ca8c-8046-45c2-9acf-15150fb3a0b8/3857146311.pdf
    • https://uploads.strikinglycdn.com/files/ea38f22c-6247-45c2-953e-a654c22db974/what_you_thinking_quotes.pdf
    • https://uploads.strikinglycdn.com/files/17ff6e34-e471-4dc3-8d84-872162705062/breville_smart_oven_pro_air_fryer.pdf
    • https://uploads.strikinglycdn.com/files/fb5756d2-43c3-4453-8c34-a2ae68045988/musical_notes_tattoos_shoulder.pdf
    • https://uploads.strikinglycdn.com/files/e818e6fa-cb95-4836-99cc-fd8c2967283b/32489176241.pdf
    • https://uploads.strikinglycdn.com/files/b527e204-2329-433d-9461-ee7a4b2a0206/juxipibarope.pdf
    • https://502f924d-676a-41b3-8220-87c01882f600.filesusr.com/ugd/5a20bb_1a76921f511c4d8e9e65413c6e2d47a2.pdf?index=true
    • https://e966359d-176b-477a-9ad9-c314bea94227.filesusr.com/ugd/fa6f14_5c2b589b2d8b4dabb493284a40dafe41.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5a3e490a-ba48-47cb-99c0-dbe4fc47eb33/punavowetak.pdf
    • https://e321b6f2-2a0a-4c58-8c60-26baf46d82f1.filesusr.com/ugd/14900c_6c6864aa838340d6ae7d41c546786de5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/375b5641-b1a6-4989-b95d-950e7f48ee74/dunkin_donuts_meatless_sausage_sandwich_nutrition_facts.pdf
    • https://9a9c460d-1cca-40b0-aaa8-67a875e606f2.filesusr.com/ugd/3b0c81_0017a04d46d94924b56cf8e37e71bb96.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6477d790-ce78-42dd-9f3b-4f1ff6d74263/me_before_you_series_book_4.pdf
    • https://uploads.strikinglycdn.com/files/34ac0da4-28a1-408c-aa52-9ebba352edb8/is_it_better_to_do_low_carb_or_keto.pdf
    • https://uploads.strikinglycdn.com/files/28ff0f92-1f28-4b79-9a57-7e74b6784252/93665480762.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df69.bin
16f9a5effff17e4862525bda23bda049d668461d273c2d4b4055ea6a073b06e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF69 4928 bytes
font_01_sfnt_off0000f04c.bin
12585135b2469f83f5294f0a93935388f3726b91651a3d568d1f47742842365c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF04C 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.