Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c39950d1d53b70a…

MALICIOUS

PDF

69.9 KB Created: 2021-03-15 09:46:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d055f7e81287d377035df9b8e41aa41d SHA-1: 0a4fe27a930ce1094c19f8ec0ce7658bbb446f31 SHA-256: 3c39950d1d53b70af31c9bec5849d6e86bf29d4dd9347a3b0fc1ba7684373076
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, but one key URL, https://botokaw.ru/strik?utm_term=navy+awards+manual, is flagged as malicious. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, suggesting a link farm or SEO poisoning technique to obscure malicious intent. The ClamAV detection and ML classifier strongly indicate malicious content, likely a phishing lure or a downloader disguised as a document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=navy+awards+manual
    • https://cdn-cms.f-static.net/uploads/4413735/normal_600e248261752.pdf
    • https://cdn-cms.f-static.net/uploads/4497110/normal_6040ed07b2885.pdf
    • http://nnorm-id.com/81513951715o2lf8.pdf
    • https://cdn-cms.f-static.net/uploads/4530868/normal_6013f4e921d8f.pdf
    • https://static.s123-cdn-static.com/uploads/4451049/normal_60017e2a58d27.pdf
    • http://prazdnikprosto.ru/dizomojiwem9lmi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3778afa4-e5d9-4bb6-be54-d343c89b577b.filesusr.com/ugd/11c894_580842093294454aaef05b378d5f38c8.pdf?index=true
    • https://d38713d8-f9e0-49bf-8e72-3f46774ce551.filesusr.com/ugd/b3faf5_c4adc3c89dfb4b688fbf735b220fd3fd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/492a4a97-e125-4c56-b5c8-a34dddb6b2cf/gospel_of_peter_resurrection.pdf
    • https://s3.amazonaws.com/fasomusogapovi/ayesha_omer_video_songs_free.pdf
    • https://4f65703b-d4c0-4c9c-9e30-73c8cc83ec5d.filesusr.com/ugd/54fa57_d18b7c07d81d46f48e2e492e263500a1.pdf?index=true
    • https://4900ecec-7ac1-411c-be2c-b077674085c8.filesusr.com/ugd/493135_6c5b59197e314aa8b911f137d2d51ca3.pdf?index=true
    • https://a72a44ae-2aae-4d6a-a6c4-235301d0a62e.filesusr.com/ugd/57436b_8132f6f004e149b4a4c0e1a01bc7780c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cd9c0cc5-9958-41fe-87f9-e570fe372f0d/pivofaduk.pdf
    • https://f77c8dad-41d7-4a8f-8d8d-c05149a3a236.filesusr.com/ugd/36d413_70097e2d558d453897210f41fb6a06bb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cbfb10f8-0e06-4f4a-b6d0-f969338b1c41/fedex_tracking_by_email_address.pdf
    • https://s3.amazonaws.com/selivuvumepaveb/vijayawada_durgamma_songs.pdf
    • https://7f3dc8b3-869c-44c5-82eb-14ae88d57796.filesusr.com/ugd/dc4ca1_f2b21ccb37fd4888ad0bed75cd9ede39.pdf?index=true
    • https://s3.amazonaws.com/wumodukubaru/jizavafur.pdf
    • https://dd67658a-cc17-4e1c-bca5-42bf299a485b.filesusr.com/ugd/07a440_f2d69e39115c42c0a3ec91ceddc8eff5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/395b27a4-db94-4668-a647-464a01952fbf/xenikox.pdf
    • https://6200e599-3f2f-4e3e-ab45-e6977ed7e777.filesusr.com/ugd/f8de3e_458e1149ff9f434d8d66c51073fbefcb.pdf?index=true
    • https://s3.amazonaws.com/senodiw/police_report_number_check.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3b5.bin
dc20634d6da7446335bfcdf4cf85ffeb3f843c838c7477242f8a19218cdbb15f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3B5 5192 bytes
font_01_sfnt_off0000e566.bin
36ed94b42f5f095ebf180c028d3c7bfa442308ebef47c5f3bcdec7612daecc09		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE566 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.