Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba2de227b3d42af1…

MALICIOUS

PDF

76.3 KB Created: 2021-03-23 11:01:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e0e95e924ac870a418d1632114ad951 SHA-1: 53d754070935d7e063043fa47bb988d2ea7da9f3 SHA-256: ba2de227b3d42af1558172136553043f12de7b6eae5620c7b62be20247fb10df
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to 'botokaw.ru', which is likely used to redirect the user to a malicious site. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to exploit users through deceptive content, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8702

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=hernia+de+disco+tratamento+fisioterapeutico+pdf
    • https://cdn.sqhk.co/fupupusamun/V5geicv/lefezofaxidikobadidibak.pdf
    • https://cdn.sqhk.co/definuseju/mROAhgN/the_maze_runner_book_review_goodreads.pdf
    • https://static.s123-cdn-static.com/uploads/4496616/normal_5ff55700abc7c.pdf
    • https://static.s123-cdn-static.com/uploads/4408330/normal_5fefe9a0d841a.pdf
    • https://cdn.sqhk.co/makubeku/gixQii0/tangled_up_in_you_aaron_lewis.pdf
    • https://static.s123-cdn-static.com/uploads/4389792/normal_5fe1b95b1c742.pdf
    • https://cdn-cms.f-static.net/uploads/4388421/normal_5fd310f86b1a0.pdf
    • https://cdn-cms.f-static.net/uploads/4454670/normal_6057af593f90b.pdf
    • https://cdn-cms.f-static.net/uploads/4495691/normal_6016229375c3c.pdf
    • http://fusubakitakudup.66ghz.com/gupop.pdf
    • https://cdn.sqhk.co/xamitarerivu/GhbHjfS/samsung_xcover_pro_case.pdf
    • https://cdn.sqhk.co/tupuxinekowa/eExgdif/fedolibowiped.pdf
    • https://cdn-cms.f-static.net/uploads/4368760/normal_6029437f7ab1e.pdf
    • https://cdn-cms.f-static.net/uploads/4388825/normal_6034d52095aa6.pdf
    • https://cdn-cms.f-static.net/uploads/4369768/normal_5fd0a523576ef.pdf
    • https://cdn-cms.f-static.net/uploads/4369306/normal_604d3cb330a37.pdf
    • http://zupebupinumupo.iblogger.org/94952431622.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kovibu/jilinolitu.pdf
    • http://ravuxigud.epizy.com/blessed_be_the_name_lyrics.pdf
    • https://s3.amazonaws.com/topipovikapari/check_your_credit_reports_and_scores.pdf
    • http://davagutuvis.rf.gd/cheap_long_formal_dresses_online_australia.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010e06.bin
052732fc7dfaf9020b830ce0ebe28cefd6a6a8cfaf1911ae47c3e3d4265d0afd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E06 5112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.