Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f8e40bb1eeabbbc…

MALICIOUS

PDF

78.0 KB Created: 2021-05-23 18:53:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 332f2e023e57b3ec5bb474ab1e95e32e SHA-1: e90418ad5c3df7d360bd54ea5cd8ddf48b1af4b9 SHA-256: 9f8e40bb1eeabbbc000d4699c0b12915db55a225b3e3da8aab0c216e4f5479b9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'botokaw.ru', which is likely used for phishing or to serve a secondary payload. The document body, though heavily obfuscated, suggests a lure related to 'absolute cost advantage', a common theme in financial scams or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=what+is+meant+by+absolute+cost+advantage
    • https://cdn-cms.f-static.net/uploads/4459641/normal_603f3ade6b6a8.pdf
    • https://cdn-cms.f-static.net/uploads/4444649/normal_601b974e1b9c3.pdf
    • https://cdn-cms.f-static.net/uploads/4373520/normal_60199fdd482ab.pdf
    • https://cdn-cms.f-static.net/uploads/4443341/normal_601bfa4353928.pdf
    • https://cdn-cms.f-static.net/uploads/4370547/normal_604ac672c8ce1.pdf
    • https://static.s123-cdn-static.com/uploads/4380078/normal_5fe213fba7b1d.pdf
    • https://static.s123-cdn-static.com/uploads/4464078/normal_6008f82296ff2.pdf
    • https://cdn-cms.f-static.net/uploads/4376612/normal_5fd90b08b153f.pdf
    • https://cdn-cms.f-static.net/uploads/4416150/normal_60598f22c6fe5.pdf
    • https://cdn-cms.f-static.net/uploads/4405641/normal_60506451bd22b.pdf
    • https://cdn-cms.f-static.net/uploads/4422912/normal_6020dbbb53eee.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d506b834-026f-49d8-a2d1-cca44afe57d6/jolejugurarutimaleterol.pdf
    • https://uploads.strikinglycdn.com/files/5a58cf6c-e77c-4bca-92d3-5114ba1e773d/how_do_you_use_the_bissell_little_green_machine.pdf
    • https://uploads.strikinglycdn.com/files/dae7b613-eb81-4339-9222-3888cbf16899/bupimapazovo.pdf
    • https://uploads.strikinglycdn.com/files/572dc03a-effb-4fa7-a77a-5b7dd65e9023/focusrite_control_big_sur_m1.pdf
    • https://uploads.strikinglycdn.com/files/9775d283-0a6f-4460-ba93-891702ffda50/present_perfect_and_past_simple_exercises_perfect_english_grammar.pdf
    • https://uploads.strikinglycdn.com/files/e71fa23e-ffab-443a-a54a-55fb581e6055/36644675558.pdf
    • https://uploads.strikinglycdn.com/files/aba481b3-d591-4211-8110-31598c0b806d/how_much_does_a_graphic_designer_earn_in_south_africa.pdf
    • https://uploads.strikinglycdn.com/files/133f8d84-7dae-4432-b604-d7f6a35623e9/68185313416.pdf
    • https://uploads.strikinglycdn.com/files/1ca3de8c-8984-4d6d-9a8a-3aebc79fa8d2/46192172089.pdf
    • https://uploads.strikinglycdn.com/files/ecc7fc06-423a-45ba-99e4-851cb3882fe5/how_to_do_a_mini_mental_state_examination.pdf
    • https://uploads.strikinglycdn.com/files/2e8c89b6-a8a2-436f-90d8-06808d12e9bb/kujob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4ee.bin
ba4898b04ddfbe311c7f5daeef026c0b63097192c2e08cb68e3f84d04a4aa3d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4EE 5572 bytes
font_01_sfnt_off000107d1.bin
d4341f2fe2ee26af1895b7162d90f6933676ee0b7803f77df4ebd7172180853b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107D1 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.