Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab4c7779591aeefa…

MALICIOUS

PDF

81.3 KB Created: 2021-03-22 21:36:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2d330e9fa144c8a10ef13b8a07805afd SHA-1: db89dd2b2d86e2c6f89b6170cf56be8c05e8c875 SHA-256: ab4c7779591aeefab92fa0010b91ffe506e1506f134c69650bcd765795155b0b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are generated for SEO purposes, pointing to various PDF files. One prominent URL, 'https://botokaw.ru/award?keyword=ogden+nash+poems+pdf', suggests a lure to a website disguised as a search result. ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious classification. No scripts were extracted, but the PDF structure and numerous external links indicate a likely attempt to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=ogden+nash+poems+pdf
    • https://cdn-cms.f-static.net/uploads/4379471/normal_6040761bcfbc0.pdf
    • https://cdn-cms.f-static.net/uploads/4366388/normal_602665a65234d.pdf
    • https://xoxigukot.weebly.com/uploads/1/3/4/8/134861038/zusabafikadoba.pdf
    • https://tavifarexup.weebly.com/uploads/1/3/4/6/134611028/ropopapiva-gikapisavu-pejejiguziw.pdf
    • https://mepodatadun.weebly.com/uploads/1/3/1/4/131452799/b9d0a751e.pdf
    • https://xevupuwikuguv.weebly.com/uploads/1/3/0/8/130814145/4033111.pdf
    • https://sawuwirepugasup.weebly.com/uploads/1/3/0/9/130969548/funigi_sokutuzazejogut.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bidivo/keto_diet_list.pdf
    • https://uploads.strikinglycdn.com/files/f0bfb20b-b6fa-4a62-8d67-6ab19807e646/haier_portable_washer_hlp23e.pdf
    • https://uploads.strikinglycdn.com/files/857f227a-8f80-4d12-b9c8-d31ca5b61c82/samsung_washing_machine_top_loader_wont_drain.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_8524af593e9e44e1b0ea3ad2cacbeb0e.pdf?index=true
    • https://0df22b04-17ae-4e65-9af8-3af4445b4601.filesusr.com/ugd/71fd01_41c54c55d14f4f038f9cc4c07ac17d89.pdf?index=true
    • https://s3.amazonaws.com/wegugus/3084902230.pdf
    • https://uploads.strikinglycdn.com/files/38dc8654-6e3f-48cb-bb38-fb78c8b5b5ec/12694578291.pdf
    • https://uploads.strikinglycdn.com/files/f34e96df-7da8-4394-84b0-c26f89647a77/18529225622.pdf
    • https://uploads.strikinglycdn.com/files/9d9cdf0e-6df0-4dd5-bf66-108d495f00df/kenmore_80_series_washer_agitator_not_working.pdf
    • https://83d7d1d1-3661-4158-a2cc-78aa4aa39d08.filesusr.com/ugd/163759_183ea99faeb74e45bbc59c8dd5b7275f.pdf?index=true
    • https://01c19f78-c7d0-441a-b56a-8672493f87de.filesusr.com/ugd/9d66c7_3789b95f91b34fbc9e609d697e98734a.pdf?index=true
    • https://s3.amazonaws.com/juzinaramip/xisibever.pdf
    • https://uploads.strikinglycdn.com/files/a504e4e2-84ba-4c98-af82-8228dcc75272/5870468526.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd7a.bin
d4aecbb4cc9dda9951e75a2086bafe63dc21b52a215e5eb81f65123a5f97b3ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD7A 5356 bytes
font_01_sfnt_off00010f8f.bin
90c9f915c440bf44585a1d3e623e06cd56fee9c0111f5b5736345d159c95ed0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F8F 11672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.