Malicious PDF — malware analysis report

Static analysis result for SHA-256 39d8f245a413029b…

MALICIOUS

PDF

87.7 KB Created: 2021-04-01 05:17:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b651c856b930d05f05faa0f8a54fcec SHA-1: 56290bfcf9fade3674080cc0307889faf5cec552 SHA-256: 39d8f245a413029b1fa23ad01457752aefaba9a9c79d1239cb0601044cfa54bb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one notable URL pointing to a suspicious domain ('botokaw.ru') that appears to be part of a link farm. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware delivery. While no scripts were directly extracted, the presence of many external PDF links suggests an attempt to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/aws?utm_term=webasto+bunk+heater+maintenance
    • http://small-italy.space/fikewtfda8.pdf
    • https://nizomepovunamox.weebly.com/uploads/1/3/4/3/134305669/pudidij-kapowerisonujoz-vofodoruregodak-foriwaxame.pdf
    • http://help-lnstagramcopyrights-verify.com/cup_of_jo_mothers_day_gift_guidexvugh.pdf
    • http://ctuxuu.com/kewajajapujenojiwurav7q1dt.pdf
    • https://nugukofijopi.weebly.com/uploads/1/3/2/7/132712180/mivuwekupabomir.pdf
    • http://svoydvalend.xyz/adobe_pagemaker_7._0_software1nj3h.pdf
    • http://prechambre.xyz/957334175216y72r.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/radubozufiwo/real_estate_newsletter_template_ideas.pdf
    • https://d21da297-2d1c-4020-882f-059d99c29dc9.filesusr.com/ugd/3724a2_fd7f720e9d2641399f84f4c7f2357155.pdf?index=true
    • https://167c8e7b-8160-49a2-a88e-f26749d647c8.filesusr.com/ugd/1ad47d_e800b756e65e41af9af057c3414a0ac6.pdf?index=true
    • https://24b051fc-04af-4e2d-8b9e-4e75c06063ec.filesusr.com/ugd/1a488c_85fa7caaad7e426fbf68a5185054e4bd.pdf?index=true
    • https://c0b8f06b-4e98-4d3d-89ef-2f08caba629a.filesusr.com/ugd/0c8cc8_9bb3d046ca3848e0bad2df4a49cad6da.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3dd886c4-9f2e-4625-b37e-560dff6e714f/sumip.pdf
    • https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_2ffe782d8bb64ab48578fe9f6522d455.pdf?index=true
    • https://793776f3-68b4-44d3-947a-596ce2c6f652.filesusr.com/ugd/4e977a_d2aaf2a250dc4fb8bee37ef526600727.pdf?index=true
    • https://uploads.strikinglycdn.com/files/828859a2-9949-4936-a511-fc85fb14efa0/a_spy_in_the_house_of_love.pdf
    • https://s3.amazonaws.com/ganubatebedoxez/10396308538.pdf
    • https://4abf464d-34d5-4c80-8de5-e64f30e04530.filesusr.com/ugd/8b3eb5_0686f9c6487b4dfcab712d614d96b63f.pdf?index=true
    • https://13ea8442-998f-4f14-ba3b-7f37e53a414c.filesusr.com/ugd/008a9f_9a56c7a599c447f6b244c1378fb0cfbe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c6ac79c9-e474-4fed-a00f-db2258e12406/vaperunopa.pdf
    • https://uploads.strikinglycdn.com/files/654d4622-cc41-4b8f-86c1-fb33d2d570e5/haz_llover_vino_nuevo_letra_y_acordes.pdf
    • https://d45380bd-a93d-4ef2-b2bd-4c7806d1f6db.filesusr.com/ugd/5d2cf3_2e30a0db9653419f98f938d65b8a2e7f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ab0.bin
91bc2f28d3f0216af26c0f4cd5177670e7ce2d25d4dc6397657e7c3a76e0d5fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AB0 5224 bytes
font_01_sfnt_off00012c59.bin
c00c05633e17328873652c49b140e2b396a2c9ad050fa86d9ca407a9e765e277		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C59 10920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.