Malicious PDF — malware analysis report

Static analysis result for SHA-256 429b3801b8a7053e…

MALICIOUS

PDF

75.8 KB Created: 2021-03-18 03:53:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 490ab91e82aa4be8078010e476d40b99 SHA-1: d65475283a4edeed93dacf46ea588258d6710f1a SHA-256: 429b3801b8a7053e1accd59ab7fd48b1df3cf72a55bb2c5ce4a988e041cf7ade
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or malware distribution lure. It contains numerous external links, including one to 'botokaw.ru', suggesting an attempt to redirect users to malicious websites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or trojan distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=stoichiometry+concept+enforcement+crossword+answers
    • https://cdn.sqhk.co/zubavagi/ikggxhg/73219124274.pdf
    • https://cdn.sqhk.co/foroboreb/gh0AOSb/75911124449.pdf
    • https://cdn-cms.f-static.net/uploads/4367667/normal_60116178457cd.pdf
    • https://cdn.sqhk.co/vetejevibas/s9Djfjc/rotezepuxutafer.pdf
    • https://cdn-cms.f-static.net/uploads/4369336/normal_6029d139a94ac.pdf
    • https://cdn.sqhk.co/bisuligiga/giGhcqL/suxokusesadarisuxutawomo.pdf
    • https://cdn.sqhk.co/lorotukogof/NoAjggi/62005646547.pdf
    • https://cdn.sqhk.co/redusebi/jhhhbiP/cardi_b_live_performance_i_like_it.pdf
    • https://tulivugid.weebly.com/uploads/1/3/4/6/134607321/0e90e98.pdf
    • https://cdn.sqhk.co/jifigetuxu/jjjthjC/micro_mechanic_app_ios.pdf
    • https://cdn.sqhk.co/xajamenujo/gitrgeU/hebrew_word_for_master_builder.pdf
    • https://tutajuvaxuzife.weebly.com/uploads/1/3/5/9/135976456/044817c135.pdf
    • https://cdn.sqhk.co/wozejodes/jea4gsT/air_hockey_table_size_chart.pdf
    • https://cdn.sqhk.co/wepigosogo/gebyrhf/namurojijum.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://01d67eed-50ba-4ccb-8f82-c1581f7ed07e.filesusr.com/ugd/e3325f_151c04b6f94644c7bc8789a1fe4e7cb9.pdf?index=true
    • https://dba0ca6b-c979-46b3-87c9-041648dee063.filesusr.com/ugd/6f58fb_be5dbdfae00840fa821880365f41512a.pdf?index=true
    • https://459fb65c-52af-4c88-885a-43a44fbeaf25.filesusr.com/ugd/6a7407_79032d111cdd4f0f8f9caa5127cd1ef6.pdf?index=true
    • https://288dffde-0386-48bd-adba-b069b5f3b70f.filesusr.com/ugd/7e1b39_622292e40bf04a19a6a17d6993448507.pdf?index=true
    • https://662517ce-f374-4037-aebd-99b1dbe00103.filesusr.com/ugd/0c4177_c564d93ca3784c53bf0bf114b5af6819.pdf?index=true
    • https://24451074-f53b-4065-993c-779ba3957988.filesusr.com/ugd/0ae25f_a251a4773e6d41d5880b4f0ede7238c0.pdf?index=true
    • https://a1359116-1358-4cde-afc5-3600b4bb50db.filesusr.com/ugd/3b0c81_9b71c541e62346c2a987ddefb872a7bd.pdf?index=true
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_dacee7fcd16847bb8473c6ce72c08f1f.pdf?index=true
    • https://6e7ef639-f89a-4701-86f9-710a836f1183.filesusr.com/ugd/12745a_b0404489c75d45f4a5073a691c10621e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd26.bin
868c658937e20fb4b75fdd13d7a1d1073942c13a2f460cbcf42c80a292a95136		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD26 5448 bytes
font_01_sfnt_off0000ef8e.bin
e6bfcbe2834babfe25bab0402f360a03a69f03fa4a184d96ce7b5c5848eab862		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF8E 10480 bytes
font_02_sfnt_off0001135b.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1135B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.