Malicious PDF — malware analysis report

Static analysis result for SHA-256 25386d9143cf083e…

MALICIOUS

PDF

79.4 KB Created: 2021-03-15 04:32:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: a1b7a482a05e70bd2e66a6bb01b3ac0c SHA-1: b146b98d5c73f26a6c0bca59c445a4437be93191 SHA-256: 25386d9143cf083ec47e518ad751221bb6e77f7657586b0e5739b71cf3d7f433
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a lure related to a repair manual, which is a common tactic for phishing or malware distribution. The embedded URL, https://botokaw.ru/wix?keyword=1985+chevy+s10+repair+manual+pdf, is identified as an SEO redirector, likely leading to a phishing page. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=1985+chevy+s10+repair+manual+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4366337/normal_5fd08534618c9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486537/normal_5fd31a19600a0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450517/normal_603348eb593da.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450733/normal_6003c40e29847.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3cdbc38-b4bc-451b-abf8-8c64703a2655/how_many_reps_when_lifting_heavy_weights_for_an_hour.pdfIn PDF document text
    • http://bosirizowu.rf.gd/lumifuzejuzogalexakopu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e987d5a-8069-4aca-8b78-e510406cd5ba/the_travelers_gift_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f0b1575e-d309-4e51-8772-8d7273bc7fd9/39293605525.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/232671c3-6487-4b80-b192-fa1e7fa2fda2/koregu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91854226-42c7-41d4-a792-dd579d559e8c/28294065588.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a778ef9-e82f-4c31-b082-463aedccda46/67410874969.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8caa8010-8156-42ad-bf98-0ab7786a85d3/35975397735.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66464572-1cf2-4a7a-9b75-40508a88f565/simplifying_trigonometric_identities_worksheet_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae9760b3-2396-465c-a08d-3a4282a0afde/68811727340.pdfIn PDF document text
    • http://sekekubonigav.rf.gd/alarm_tone_zedge.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a9080d2-be52-44a2-8ddb-b6b163b5bb61/2008_jeep_wrangler_unlimited_x_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8783066-d3c7-4ff1-bca8-680a710b7edc/value_education_meaning_in_marathi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c57fe108-e694-47d3-bc7c-25ffae6cf2e1/biponagozema.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36a2140e-4218-4bea-94e4-49064f6d16bd/rofelikuzagipulegapobure.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83b49a55-ea45-447a-897a-f32a14b425b3/zikawotavax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cb90565-c710-4a1e-a897-b114329023fe/how_do_i_read_my_sensus_water_meter.pdfIn PDF document text
    • http://dimavaju.epizy.com/vetuputa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/766eee58-6a44-4009-961e-1e9b57c565bc/toxaxekoziludo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8C5 6132 bytes
SHA-256: 855b1d491787bcf9fb11e34b520964002f2addf10ba06c2a05740581da95a6ee
font_01_sfnt_off00010d8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D8C 10232 bytes
SHA-256: c7a96229e6547b833620516f876dc0ad9951596c4510295b55295cf2138b68a8