Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbdef588358d684a…

MALICIOUS

PDF

75.5 KB Created: 2021-03-19 05:52:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 183dd977e49b21ae820255dc24fc77f6 SHA-1: ef74a58fcd93ab182bc575e0e560f6a1092e34e2 SHA-256: bbdef588358d684aef9375880ae6f1aa48685de14480c202cebb597045fdf670
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' containing 30 external links. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV identifying it as 'Pdf.Phishing.Trojan'. The embedded URL 'https://botokaw.ru/strik?utm_term=mini+cooper+service+intervals+2015' suggests a phishing lure related to car maintenance, likely intended to redirect users to a malicious site for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=mini+cooper+service+intervals+2015
    • https://cdn.sqhk.co/rijomawonuj/NkgchfC/disney_channel_customer_service_phone_number.pdf
    • http://zixudivibudizu.scienceontheweb.net/28101731771.pdf
    • https://bifixebuwo.weebly.com/uploads/1/3/0/7/130776276/8123420.pdf
    • https://cdn.sqhk.co/ramidazumiko/hagcjcD/mavazukiganavodofux.pdf
    • https://xijafidul.weebly.com/uploads/1/3/2/3/132303061/2710942.pdf
    • https://disemorabegelam.weebly.com/uploads/1/3/1/3/131383982/lezuv.pdf
    • http://larijasetejupaz.mypressonline.com/abecedario_letras_goticas.pdf
    • https://tatasabazenaxaj.weebly.com/uploads/1/3/2/6/132695883/3231eff92f.pdf
    • http://jofufunobek.sportsontheweb.net/surutekuliwazabewuj.pdf
    • https://tokebezewala.weebly.com/uploads/1/3/3/9/133999388/6271783.pdf
    • http://sujimelowakolop.medianewsonline.com/reading_advertisements_for_comprehension_worksheets.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tiduro/jaranufex.pdf
    • https://s3.amazonaws.com/dudigonifu/android_tv_set_top_box_firmware.pdf
    • https://05491ccc-77c7-428b-9c25-74f2c6c50d4a.filesusr.com/ugd/d51d36_e96e2a28a3a740dba4f74ea66748e18f.pdf?index=true
    • https://s3.amazonaws.com/banula/xonusu.pdf
    • https://94db4134-5784-44c5-a63d-963e509970fa.filesusr.com/ugd/9c58c5_d6a42dcf4a30427e9f0f87790c97a076.pdf?index=true
    • https://s3.amazonaws.com/patotale/88504471370.pdf
    • http://penobugixova.atwebpages.com/rizeloxekazepazekevogoni.pdf
    • https://s3.amazonaws.com/zuses/dajuzazijoparemagelixi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e76b.bin
4ea67ef637369998ef9e1f93eadee27c060ff82fd85591378bbbfcf6ca967ee0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE76B 5440 bytes
font_01_sfnt_off0000fa13.bin
32a1e5d4df3ea8af272593b11d86c3f5d2208b66926687bd123c15cfcfcbfaf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA13 10844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.