Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c69ec2ae4238e82…

MALICIOUS

PDF

76.2 KB Created: 2021-03-25 17:15:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ddbe8730746cf1f5e057bd4ba668d4a7 SHA-1: d332a5e753b5969397920f83ff7ed75315ee60d3 SHA-256: 5c69ec2ae4238e8271d0171bdb25d8079c538cc91feb373487f7845283bd483d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. One of the primary URLs, 'https://botokaw.ru/123?utm_term=backbone+song+whatsapp+status', is suspicious and likely leads to malicious content or a phishing page. The ClamAV detection and ML classifier further indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=backbone+song+whatsapp+status
    • https://static.s123-cdn-static.com/uploads/4470830/normal_6007e0b71c639.pdf
    • https://static.s123-cdn-static.com/uploads/4423148/normal_5febcf5a1172b.pdf
    • https://cdn-cms.f-static.net/uploads/4415304/normal_6027f52b41ca5.pdf
    • https://cdn-cms.f-static.net/uploads/4379387/normal_5fda5a038d935.pdf
    • https://cdn-cms.f-static.net/uploads/4393898/normal_602d3965c37fc.pdf
    • https://cdn-cms.f-static.net/uploads/4386349/normal_600d252ea712a.pdf
    • https://static.s123-cdn-static.com/uploads/4411932/normal_600265b2231f0.pdf
    • https://static.s123-cdn-static.com/uploads/4366665/normal_6001a73d89cea.pdf
    • https://cdn-cms.f-static.net/uploads/4372967/normal_602b896ad1b6f.pdf
    • https://static.s123-cdn-static.com/uploads/4367680/normal_5fca33b182298.pdf
    • https://static.s123-cdn-static.com/uploads/4499979/normal_6008f3f06f704.pdf
    • https://cdn-cms.f-static.net/uploads/4423166/normal_600d984f6c205.pdf
    • https://static.s123-cdn-static.com/uploads/4465390/normal_5ffb3ca6e05b7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://runesufosufej.rf.gd/71332804261.pdf
    • https://uploads.strikinglycdn.com/files/78148246-322f-42a8-b41a-208791b6f535/dir-868l_firmware_singapore.pdf
    • http://pitowurojagit.epizy.com/nurowedoxe.pdf
    • https://uploads.strikinglycdn.com/files/ef744e81-8749-49a3-b4ec-6223ab99a86d/tujepixijokedoduwibi.pdf
    • https://bf23b77b-49a9-4bef-a898-a03cfb94aefa.filesusr.com/ugd/134172_a26c1a67f6284f95be87b2d0d7dc4654.pdf?index=true
    • http://wedizakur.epizy.com/social_psychology_9th_edition_aronson_free.pdf
    • https://9db8f275-5044-409a-aa1b-3306d9dda9bd.filesusr.com/ugd/361f4b_49a061762d7f479eba0c95b215dcd74c.pdf?index=true
    • http://sulisufegetu.epizy.com/private_school_calendar_2020_south_africa.pdf
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_5663ea325a464b68b48f2ad1cec45d99.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d078.bin
85798cdcf21fbd2f1764fd7ef08e6208248d2bd5c7725a500a98087b21302cab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD078 5412 bytes
font_01_sfnt_off0000e2f0.bin
28336a0cb3f8e641e75945af3d35324194abd932e21d2bc38800f63db353b10a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F0 2044 bytes
font_02_sfnt_off0000ec5a.bin
fa83cffea2e75011418fd259fe218888a37cd9da9cfb2bb009f84b9637620936		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC5A 9792 bytes
font_03_sfnt_off00010e0f.bin
d8a1a34de14a7b8fce5e51635835121d353d188f9ac9ce1e11538509fd4c5cdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E0F 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.