Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c9cd0c1d0b7398e…

MALICIOUS

PDF

80.1 KB Created: 2021-03-27 15:44:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dd3cc1fbc91ebd8d4c1c128c3e670d56 SHA-1: 1f89fd0c6a96956539cd003b3bbc410bc4c821c7 SHA-256: 3c9cd0c1d0b7398ec08851e6a9ca4ff336512de525082102d5d394aeb5b34b3f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with one pointing to a suspicious domain (botokaw.ru), indicating a potential link farm or phishing lure. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. While no scripts were directly extracted, the PDF structure and heuristic firings suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=pseudoclitocybe+cyathiformis+edible
    • http://jifosorov.22web.org/atlas_copco_xas_185_compressor_oil_capacity.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/fb8320b5-f121-4130-b732-2c958674e7f8/how_to_reset_your_wii_u_gamepad.pdf
    • https://caa91486-5fcc-43b7-8b2b-5b817ae85bbe.filesusr.com/ugd/26bbcf_8a3d24b4c9564a2c9bd1d1b767db0df9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f7a51b9d-af7b-48fb-a98d-9f5b573f8772/ikea_malm_bed_frame_parts.pdf
    • https://uploads.strikinglycdn.com/files/2c3ea572-3899-462c-89a3-4dfbef4df962/what_does_federalist_70_say_about_foreign_policy.pdf
    • https://uploads.strikinglycdn.com/files/936d51d5-01eb-4880-b65c-84f63d58ee40/does_straight_talk_have_unlimited_data_for_hotspot.pdf
    • http://ferobinosu.epizy.com/21814172476.pdf
    • http://lebemowabekoko.rf.gd/english_words_list_with_meaning_in_telugu.pdf
    • https://034b020c-baab-45d1-b3ff-c950d21f9178.filesusr.com/ugd/3c93bc_14fb943f443e4a8a932b59740608742c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a339eabd-6ee8-4ab9-8b7d-2bc5d957438f/el_guardian_entre_el_centeno_libro_sinopsis.pdf
    • https://uploads.strikinglycdn.com/files/451d1816-56f8-43b5-8f00-cf4a535c39fa/why_is_my_hp_chromebook_not_charging.pdf
    • https://bc732cde-fb09-4fee-8ab5-c82a45a1131b.filesusr.com/ugd/2ac701_5ec376c24a3f4448a66cff6a11021871.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cd120680-81a6-403f-999f-db0c53522518/lizes.pdf
    • https://uploads.strikinglycdn.com/files/7c738a7e-cd3d-4bcb-b7e5-7a37b79176c8/web_services_interview_questions_and_answers_for_experienced_in_.net.pdf
    • https://uploads.strikinglycdn.com/files/07b19355-95e7-4f4e-847a-cbcea338087e/how_is_popular_culture_spread.pdf
    • https://de2a8dfc-dc8d-4d62-be3b-f97abdd17bf6.filesusr.com/ugd/c722c2_6c0625c3f646467c986ffb7f42fe928d.pdf?index=true
    • http://mumufikoxid.epizy.com/manager_roles_and_responsibilities.pdf
    • https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_f12d4ee27d7b4b92ba00b4da83857d3c.pdf?index=true
    • https://e510c2d5-567e-4a96-89ff-abc18316baf7.filesusr.com/ugd/8a9bcc_44bbc5e94aa14d3bbbdc340767a6f392.pdf?index=true
    • https://855e1e5b-0daf-4dce-aa73-dfad2bfec5df.filesusr.com/ugd/ced2dc_9605692479aa4011aa81456d7d37f4f6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/04e5624e-f531-4fa0-94c2-e15c9d23c5f9/gonisefus.pdf
    • https://uploads.strikinglycdn.com/files/f57fd347-791d-4acf-84c7-08a3d8b84bbd/metro_2033_chapter_7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece3.bin
93fe7b28d0f2fccc0748905c278088e2e79329c831a6d3f46d9560db49fedd8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE3 5280 bytes
font_01_sfnt_off0000fed4.bin
807267f0959880e0b98fe15fb1d300d7d623a3e3bda196519c2dc7f66e582220		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED4 11388 bytes
font_02_sfnt_off000124e4.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124E4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.