Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ceace5eeefd6dea…

MALICIOUS

PDF

85.1 KB Created: 2021-03-30 00:51:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fa283a44a81597a334601d2224ca8b6 SHA-1: 792a8df2ba1063f0fc09b9296d77d7b645c9c839 SHA-256: 8ceace5eeefd6dea9c39cf201907170f775b1c197d31b5af684c5c1a0fe3d86a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' suggests the document is designed to host a large number of external links, potentially for SEO manipulation or to redirect users to malicious sites. The presence of embedded URLs further supports this, with one notable URL being https://botokaw.ru/strik. No scripts were extracted from this sample, but the overall structure and URL findings point towards a phishing or link-farming attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=50+shades+of+grey+book+song+list
    • https://sajozigita.weebly.com/uploads/1/3/0/8/130814351/vugolix-sejiwikobavumem-vukoxirego.pdf
    • https://vemusosafuz.weebly.com/uploads/1/3/1/3/131398108/tajox.pdf
    • https://sivekilupikuma.weebly.com/uploads/1/3/4/4/134491743/6b07a7a38.pdf
    • https://lozofuxoxezutuw.weebly.com/uploads/1/3/5/3/135303337/ab6d56c70a1.pdf
    • https://gemegomuzek.weebly.com/uploads/1/3/4/3/134339500/jitavu.pdf
    • https://gilulunerokife.weebly.com/uploads/1/3/5/2/135296548/3b122284.pdf
    • http://gejobukopap.iblogger.org/brother_exedra_industrial_sewing_machine_manual.pdf
    • http://jodopafipunew.22web.org/daputodugesedojozowifole.pdf
    • https://kolekidir.weebly.com/uploads/1/3/4/4/134441437/43d75f049.pdf
    • https://kixuvatapowow.weebly.com/uploads/1/3/1/3/131383305/bizabexut.pdf
    • https://razivizufizide.weebly.com/uploads/1/3/4/5/134525322/bisekipedof-birumapa-nazilomosajunir.pdf
    • https://biwawidojimu.weebly.com/uploads/1/3/4/6/134648839/suwemaza_repukawi_dobezajeruk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ecb281a4-7a82-4b55-82b3-ba0df4988b97/85864057263.pdf
    • https://uploads.strikinglycdn.com/files/0a3e08ce-ef18-4380-a7d8-689f13adc51b/37087038023.pdf
    • https://uploads.strikinglycdn.com/files/1b5730cf-95b7-4949-83dd-d8884a4a8e8b/sennheiser_hdr_120_wireless_headphones_problems.pdf
    • http://vovivufevalo.rf.gd/toxad.pdf
    • https://b585a76b-fab5-4024-b0d2-f3ad95444197.filesusr.com/ugd/404203_79feb8ecd07a4436b900663fcf695a8f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/285f8c69-4c2f-4196-abaf-6616c0bd6515/motedimexizawomukezizo.pdf
    • https://109d6476-c6f4-4eee-b84c-907698fb4207.filesusr.com/ugd/0d7ebf_203c628fc9fd48b482b1354bfebae90b.pdf?index=true
    • https://e7ba4f66-d023-404d-a355-a5b98970f127.filesusr.com/ugd/cac9e4_80a9b491836d4137bfbfe383b1ada88c.pdf?index=true
    • https://8a7e94d2-1b07-4399-8a7b-cfebf1eb419e.filesusr.com/ugd/e78b77_9b19e406ce9f4d88a8d9f20a95c3174f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/617e7180-5057-4b47-9a14-f0cadd7ffb02/fubategipusapuwixififisa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a3c.bin
53998cf9085048b4fbb85503e5dba110a0d02f6a6db37e6203f45a53cd3897cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3C 5648 bytes
font_01_sfnt_off00011d71.bin
c10205cf231f5c4e98c292199e3e798c57e9804d26cba6d1028c758881c732af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D71 12080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.