Malicious PDF — malware analysis report

Static analysis result for SHA-256 71c5f1b7a2ef4114…

MALICIOUS

PDF

85.0 KB Created: 2021-03-24 08:56:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 589f8744090c12281c01c4cf9b0bafe8 SHA-1: a07680d9837ac32bbe70946703e588872ec2cf7c SHA-256: 71c5f1b7a2ef4114df9614f1b88d62176dfee71dea40db1d651c279cf758876a
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to disposable domains, a common tactic for phishing and malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to device troubleshooting, aiming to direct users to malicious URLs like https://botokaw.ru/strik.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=how+to+factory+reset+swann+dvr-4575
    • http://digitalliteracyinstitute.com/kegiwabobufilixeweb7fl0c.pdf
    • http://rewokujow.scienceontheweb.net/pesejupufanuf.pdf
    • http://vurovolapoza.mygamesonline.org/85105245296.pdf
    • http://meetchat.space/solving_quadratic_equations_worksheetmuoch.pdf
    • https://cdn.sqhk.co/rinilafexowi/8n5idVl/forbidden_racing_apk.pdf
    • https://cdn.sqhk.co/xonipavu/jldTACG/12995329384.pdf
    • http://italywow.space/chevy_traverse_2018_user_manualm0bil.pdf
    • https://bevikafu.weebly.com/uploads/1/3/4/7/134710030/6344e.pdf
    • https://gakikodokuni.weebly.com/uploads/1/3/1/8/131857060/risejonamaxodo.pdf
    • https://latuxuxapeja.weebly.com/uploads/1/3/0/7/130739017/cdc2e48dfc22a46.pdf
    • https://cdn.sqhk.co/jukunobegabe/jjoFrhh/kid_city_toy_story_4.pdf
    • https://bokakarepexopo.weebly.com/uploads/1/3/4/7/134750167/965128.pdf
    • https://cdn.sqhk.co/jotepomi/l0Ahgja/verumigimunate.pdf
    • http://mufutekuson.getenjoyment.net/ccie_security_book.pdf
    • http://miromawetibikew.mywebcommunity.org/meaning_of_budget.pdf
    • https://cdn.sqhk.co/bidekidarub/80N0Qjh/fazizubikazerogal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/1038f172-fa51-4ae5-aef4-a2a3151d3b3a/real_estate_salesperson_license_course.pdf
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_92c2a20959a2454c897264efda7ea0e3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5214d163-37f1-48aa-81fb-6bf9d9f7560d/female_warrior_tattoo_small.pdf
    • https://uploads.strikinglycdn.com/files/9fd5bd7e-8c46-4351-bfd0-54c8c3a1bdfc/big_green_egg_large_nest_price.pdf
    • https://uploads.strikinglycdn.com/files/6ef9e683-bed6-453f-8fc2-2e024470574f/deridekeda.pdf
    • https://uploads.strikinglycdn.com/files/f6966fdf-fe61-483b-aa3a-a0c231b82c2d/raxebubaw.pdf
    • https://a3720f92-bdaa-4449-a3ff-14f36884d2d5.filesusr.com/ugd/afadc3_4a9fbc247cc24338893fde891d7f161c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010200.bin
695f7fc4be4daea817557762fa0b454b9e1561efcb70481acd59060e28ea893d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10200 5264 bytes
font_01_sfnt_off00011420.bin
0c933057650def0fcbc96609f95ae575ebac8a2db854872c4674004661b86ae7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11420 10548 bytes
font_02_sfnt_off00013857.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13857 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.