Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb69432368766f21…

MALICIOUS

PDF

199.6 KB Created: 2021-03-20 21:22:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 503672c6ef0303828c65d5aefe3d07d7 SHA-1: ef218c7d61f886fc84ac2c7724a0950028b1b7ff SHA-256: bb69432368766f21471a289017bb9d13006dd1ddbd4509b54c277a8c3d6de44b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://botokaw.ru/award?keyword=aqeedah+tahawiyyah+arabic+english+pdf', which is a strong indicator of a phishing or malware distribution attempt. The document body is heavily obfuscated and unreadable, suggesting an attempt to hide its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=aqeedah+tahawiyyah+arabic+english+pdf
    • https://cdn.sqhk.co/xumobopore/EAx6giw/33316121893.pdf
    • https://cdn.sqhk.co/ridetalazo/orsicjh/pejabizidugerewir.pdf
    • https://cdn.sqhk.co/xeloxilava/Y0hYhhs/simple_black_forest_cake_design.pdf
    • https://cdn.sqhk.co/jivonaxadu/RzVXhgF/35755719353.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/68843703-0a56-45f6-a18b-f9a21b433010/2575767761.pdf
    • https://uploads.strikinglycdn.com/files/bc8aa7c9-5785-4365-b3f5-3b4d0c4cbcc8/38087867902.pdf
    • https://0d555108-1732-4721-8d72-76d747b2053a.filesusr.com/ugd/1b0481_37e4c08ff125411bae56671e0a7158e7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/58e6e1b5-e344-4d74-9e82-6038c47340f2/how_to_apply_vinyl_to_kitchen_cupboards.pdf
    • https://s3.amazonaws.com/bulujono/sketchup_pro_2020_system_requirements.pdf
    • https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_8ef801cce88546a9892ccf8c4329b546.pdf?index=true
    • https://s3.amazonaws.com/teximikamukubo/mitosis_vs_meiosis_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/7936e14e-4b92-496f-aec4-96e72ef4f231/what_is_political_discourse_theory.pdf
    • https://s3.amazonaws.com/tiluwisulepam/juxujilolibo.pdf
    • https://ee897e78-a157-4eb5-8a47-d615096087a2.filesusr.com/ugd/113e89_e8247edfd5e1459eb607dc9fe88c2b69.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2a0365f9-032a-4221-82be-af66ecc816d0/how_to_identify_hazards_in_the_workplace.pdf
    • https://uploads.strikinglycdn.com/files/597d8e08-8550-4f29-9d1a-58d9880e7949/motorola_mc9190_specs.pdf
    • https://uploads.strikinglycdn.com/files/80d0ceff-ac66-4199-8df4-429a95c0318f/gosunusimebuvusilebivi.pdf
    • https://s3.amazonaws.com/wapabefizosumi/alpolic_safety_data_sheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0002d37d.bin
c84df43ea41202fb6ba4bbca9a80fa926443814e3404ecfd3d417951bd4e23a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D37D 34436 bytes
font_00_sfnt_off0002986b.bin
071f466d264fc0455dd98bb89daa9ed80edcdce638e9f11d64ebe437da338e13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2986B 5868 bytes
font_01_sfnt_off0002ac6e.bin
741c2274d4379820f211800dacf4c1e0538b94b94a1914f6e84bb63202121a1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AC6E 12228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.