Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fc12c7d2e001593…

MALICIOUS

PDF

78.8 KB Created: 2021-03-10 05:01:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 055f7539978d0e794f9a67843aa39c05 SHA-1: 5e874eee9630ecfcb3c6b83dcd707a5fb7b6c1ea SHA-256: 7fc12c7d2e0015932570f0abdf176254712d7341e97cab5a464dae9cb678432e
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, with one prominent URL pointing to a suspicious domain ('botokaw.ru') that is likely used to host malicious content or redirect to phishing pages. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is designed as a link farm on disposable hosting, further supporting a malicious intent to distribute links to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=french-+english+visual+bilingual+dictionary+free
    • http://jepewadagamer.scienceontheweb.net/oreck_xl_canister_vacuum_cleaner.pdf
    • http://wodekenizowa.getenjoyment.net/vebakopuwojuwovifaneninid.pdf
    • https://static.s123-cdn-static.com/uploads/4372963/normal_5fca930bcb377.pdf
    • http://goxuladajozi.22web.org/can_you_have_polygamy_in_sims_4.pdf
    • http://kokulotasuz.mygamesonline.org/cen-tech_p35017_multimeter_manual.pdf
    • https://static.s123-cdn-static.com/uploads/4476275/normal_5ffbe78e10b09.pdf
    • http://zaparipajomigi.scienceontheweb.net/nixedivoduderolewanumifu.pdf
    • http://xomutukegadoj.mypressonline.com/jafepezajaxemid.pdf
    • https://static.s123-cdn-static.com/uploads/4401694/normal_5fefed88c7daf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://uploads.strikinglycdn.com/files/27fae332-91f4-46f5-9542-f1fa71823674/21557842380.pdf
    • http://pupakutave.epizy.com/zawijazilakuxokarodowemag.pdf
    • https://05f6fcc2-a4c7-4d5b-b58c-97b640a93f4d.filesusr.com/ugd/74147a_0f0ff10d95df4a8b8ffc21fd5cb66763.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2a1a3fc8-1df7-4dc0-bbd2-6210913608ad/wu_tang_name_generator_reddit.pdf
    • http://fonobufusig.rf.gd/definition_anamorphic_format.pdf
    • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_3f5c39fbfdfc40d69ee217bab96f3768.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ca5e7416-6aea-4b9c-a795-e8ca7948a460/read_diary_of_a_wimpy_kid_15_online.pdf
    • https://d52aed46-be45-4f9b-8106-cf6fc7ee66c0.filesusr.com/ugd/b148e5_a60839d5c2d74f73819dab8eb6d80560.pdf?index=true
    • https://uploads.strikinglycdn.com/files/87fec2da-9f14-4a93-9ca7-1a90a29496a3/new_practical_chinese_reader_2nd_edition_textbook_answers.pdf
    • https://3b044092-e341-4c69-a8e2-52b14fc1865f.filesusr.com/ugd/370021_43819369dd6a4013abe28fe030d01a31.pdf?index=true
    • http://wojuzixe.epizy.com/melunubijobotexapi.pdf
    • http://vimonaker.epizy.com/fotes.pdf
    • http://lupedapexonejov.epizy.com/how_to_use_log_on_calculator_ti_30x_iis.pdf
    • http://virawumeritaxo.rf.gd/basavijidodim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e346.bin
b261a62db523996b88322cfcd2781c07af6889b6d648614e3aa8b178135b545d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE346 5572 bytes
font_01_sfnt_off0000f63e.bin
4f1c27899c4a0f8a1f68c5b6365981fbd7cef0720461d4d6ad3d0c8515cab03e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF63E 5952 bytes
font_02_sfnt_off0001057e.bin
02b17489eaf7a7aab86cbeb2311e07310a9c94f033511703b27f182f56af0181		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1057E 12636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.