Malicious PDF — malware analysis report

Static analysis result for SHA-256 9515cafdabd2c81f…

MALICIOUS

PDF

120.1 KB Created: 2021-04-10 03:40:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bd68669921b68a8bed05f27b16b9ebd SHA-1: a6cbbee1ca24ddb157555344e3d59f5bb34fe6ee SHA-256: 9515cafdabd2c81f69dd7e42d157a554c20be06fbe99640ed5de1532456eef2a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing numerous external links, identified as a PDF link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically phishing or malware distribution. The embedded URLs, such as 'https://botokaw.ru/strik?utm_term=who+is+voldemort+in+fantastic+beasts', suggest a lure to potentially malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=who+is+voldemort+in+fantastic+beasts
    • http://4gusevshop.space/1893525045777udk.pdf
    • http://bcpzonasegur4viabcp.com/spongebob_episode_pizza_deliverypi9dv.pdf
    • https://nevedaroxizewav.weebly.com/uploads/1/3/4/5/134592578/9445542.pdf
    • http://braco.ru/xefatisetigesod0ectb.pdf
    • http://instapodarok365.site/wewafaxabuzux91om7.pdf
    • https://cdn.sqhk.co/keridola/f0XqEIA/tuwew.pdf
    • https://rukazoxet.weebly.com/uploads/1/3/4/0/134040508/31087b056e414.pdf
    • http://wildber.store/40437455013wl7zm.pdf
    • http://meetly.space/befulutiwiwajujoo5lz6.pdf
    • https://xosulokut.weebly.com/uploads/1/3/4/4/134466674/viwereven.pdf
    • http://fruits-summer.fun/best_friend_funny_status_video_download8u1sx.pdf
    • https://cdn.sqhk.co/ruwonumatag/pijD1gg/1440823404.pdf
    • http://presentinsta.online/viludekepomutavusagodx3rim.pdf
    • https://cdn.sqhk.co/nupepewomaxu/jhjjjcD/neluvegudewanipufaludil.pdf
    • https://memarexegota.weebly.com/uploads/1/3/4/3/134366516/jurokamuxumunodadij.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://53860ffb-5975-4088-b838-5c82367c2827.filesusr.com/ugd/0d2908_1935018dcd6b4cc38d598fe27dc90142.pdf?index=true
    • https://s3.amazonaws.com/vajefam/bharathi_kannamma_songs_starmusiq.pdf
    • https://s3.amazonaws.com/dowadotiju/how_to_test_firewall_with_nmap.pdf
    • https://s3.amazonaws.com/sojuravewi/ballroom_e_youkoso_soundtrack.pdf
    • https://s3.amazonaws.com/litunux/invoice_form_template.pdf
    • https://e05653fc-386e-4c8b-889d-738aee72c63e.filesusr.com/ugd/62421a_579f15f5b6ba4e568d8afe90762390af.pdf?index=true
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_f28b293c279d4ec28d20f14b16aee021.pdf?index=true
    • https://178c1879-e916-404b-9861-a2431bd0f83a.filesusr.com/ugd/1aace6_6aeb0ed3264349b3b87018c40f41eea8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017e2c.bin
6494506ea457ca4fcb9116f7d021a96377f8f0fcbf20929deeee96e4a551184d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17E2C 8072 bytes
font_01_sfnt_off0001989b.bin
33e2dbd140834969a3dd50e4e500f5341faa31e1d213ffe0052dcfae5a1083ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1989B 5472 bytes
font_02_sfnt_off0001ab19.bin
11bdf4f8533037c33888539178f99b168c495dd9bfa557720616093379e3045b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AB19 12308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.