Malicious PDF — malware analysis report

Static analysis result for SHA-256 93821b6f412b920f…

MALICIOUS

PDF

84.4 KB Created: 2021-04-21 00:14:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42b5ed2826ff366fe0e2317d8f399fc3 SHA-1: d03075dcc241525448347e059dda9f9ed47ba95c SHA-256: 93821b6f412b920f95b333c3dd179316f1aea5387d5fcf0724c34e050193a990
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The file contains a large number of external links, with one identified as a 'PDF link farm'. One of the embedded URLs, 'https://botokaw.ru/strik?utm_term=why+won%2527t+my+dpf+regeneration', appears to be a lure, potentially leading to phishing or malware. No scripts were extracted, but the overall structure and link farm heuristic suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=why+won%2527t+my+dpf+regeneration
    • http://educationonline.website/zenuzaxobupugixinevikp7tu4.pdf
    • http://tryse.xyz/19219827336ppget.pdf
    • http://ig-socialmedia.xyz/93960157065rhmmp.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aa86f956-4a6f-454a-b9cd-e6e816f683ed/what_is_the_meaning_of_color_green_in_psychology.pdf
    • https://uploads.strikinglycdn.com/files/c4e407ff-e07f-4e4b-ae03-d0b50769f913/who_used_guerrilla_warfare_first.pdf
    • https://uploads.strikinglycdn.com/files/80e328c7-cf48-486a-a8ab-6bfc6ce31228/nubekufetonakejijovexivom.pdf
    • https://eb72eaa1-ef55-40a3-a653-f6d21bccf295.filesusr.com/ugd/54913d_d499062dcc3f46cb837961ed5cfcad34.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a99d93c3-0e21-4d99-ae1a-9ed31ab01d6d/18469159612.pdf
    • https://s3.amazonaws.com/neviwove/40308301855.pdf
    • https://uploads.strikinglycdn.com/files/0030657e-02f8-4fad-b41a-be0e6f1ef81b/tavagofizejivonojolep.pdf
    • https://s3.amazonaws.com/guxosa/85363109334.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f611.bin
984da18fb54a5f1cd031b2b9af3b47a3067f8c73029afcbba52dfb3ed3f8d728		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF611 5484 bytes
font_01_sfnt_off000108b4.bin
fb104f10f307d2f54a1ad0b45188e130959752254650e0517abcfce7ab18681b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108B4 11368 bytes
font_02_sfnt_off00012fbb.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FBB 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.