Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e0764d27c227f8d…

MALICIOUS

PDF

77.1 KB Created: 2021-03-18 06:14:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 846cd84e9b2dfc2dd2996112a71275d0 SHA-1: fdc6cc2433f2f93c1ab29e70e8f5a33407a7a687 SHA-256: 4e0764d27c227f8d233fd5cc14df8cec1d337f4ae3d9bd5b0a928eedb9603a03
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was identified as malicious by ML classifiers and ClamAV, indicating a phishing or malware distribution attempt. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains references to 'butterfly movie song free', likely a lure to entice clicks on the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=butterfly+movie+song+free PDF link annotation
    • https://cdn.sqhk.co/xejoverol/EumeIjf/64829189347.pdfIn PDF document text
    • https://zodoxofavuzawa.weebly.com/uploads/1/3/1/4/131437464/b4f160aaa4c8.pdfIn PDF document text
    • https://cdn.sqhk.co/devisofage/QXgiGKM/armaan_malik_songs_lyrics_download_free.pdfIn PDF document text
    • https://nefabilaj.weebly.com/uploads/1/3/1/4/131438225/tafopanapobugejam.pdfIn PDF document text
    • https://cdn.sqhk.co/tidelefuzin/jdoCjdx/jimisaragogakuxezanodoz.pdfIn PDF document text
    • https://cdn.sqhk.co/pixafosabow/bidXthe/smurfs_village_deutsches_forum.pdfIn PDF document text
    • http://vikubemaba.22web.org/advantages_and_disadvantages_of_solar_energy.pdfIn PDF document text
    • https://xizavuxovom.weebly.com/uploads/1/3/3/9/133986710/fonaxujejunom_jufefak.pdfIn PDF document text
    • https://cdn.sqhk.co/mimofeto/ehd2LKK/hard_riddles_for_kids_with_answers.pdfIn PDF document text
    • https://tejalegevususo.weebly.com/uploads/1/3/1/6/131637178/0f94148a5f37b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gonoluripep.rf.gd/bootloader_windows_10.pdfIn PDF document text
    • https://s3.amazonaws.com/kefodek/64073978654.pdfIn PDF document text
    • https://920f4c01-5fd6-4c40-8b27-b99972fecb60.filesusr.com/ugd/d63aaf_fe9b885a5fcb4c1e9fad9f7abc0309a2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/timituvupame/10517178459.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba7e8731-196e-487f-bd0f-d94766de0b6c/nizanizedovanijeze.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18eea69b-8ee5-409f-ad22-9e8c7ebd627f/bikinapagodoze.pdfIn PDF document text
    • https://0dd4521b-3e41-4083-9bcc-807cce03ae78.filesusr.com/ugd/cfe2e9_d040df08fa214cbf8af81ff2709a4fe3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fatisake/mewebos.pdfIn PDF document text
    • http://vevurikadi.epizy.com/91698310944.pdfIn PDF document text
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_62c14fa2967b45dbb1d1757fcdbc566b.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eff9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFF9 5088 bytes
SHA-256: cd8a8a44cc951a9b8ea05b3936dcd523f4f2ace92d862f3ca624913e3362be55
font_01_sfnt_off0001014b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1014B 11080 bytes
SHA-256: 3ade19e46c78ab398b9d46d3111c986562913f523e0c1a3de3d84e6da026406a

Open this report in the interactive analyzer, or submit your own file for analysis.