Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd63bc2d7980c392…

MALICIOUS

PDF

82.5 KB Created: 2021-03-13 16:40:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97023ec666bb0427f94b968852da4e24 SHA-1: d3e3a29ce03f505b27ca322ffb1c4f4edbb150a3 SHA-256: bd63bc2d7980c392fbf4001332f5ee953c504ef4067b98e088b7fd9420326af3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. One of the primary URLs extracted, 'https://botokaw.ru/wix?keyword=what+does+clarisse+in+fahrenheit+451+symbolize', appears to be a lure to direct users to potentially malicious content. The presence of embedded URLs and the overall structure strongly indicate a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=what+does+clarisse+in+fahrenheit+451+symbolize
    • https://jedifubebevaze.weebly.com/uploads/1/3/4/8/134873515/bfacf3ca.pdf
    • https://cdn.sqhk.co/luwivimexu/2Qiddgj/47794826332.pdf
    • https://bakogala.weebly.com/uploads/1/3/1/3/131384254/tixunafugirusupufag.pdf
    • https://xizenebijebis.weebly.com/uploads/1/3/2/3/132303300/bad7bcddaa.pdf
    • https://cdn.sqhk.co/pepupiribojo/cm7jj0k/change_eye_color_contacts_non_prescription.pdf
    • https://cdn.sqhk.co/jonuwezipagi/cJAQIig/wuvizu.pdf
    • https://cdn.sqhk.co/leluforeref/gjg5lXO/46322404555.pdf
    • https://cdn.sqhk.co/liwewajawab/hgjjeOX/3346890412.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://5902ff30-e651-486c-ac37-3e8383bfa78f.filesusr.com/ugd/f35da0_58f8aad496404ec99f078e21cf5f7aa6.pdf?index=true
    • https://b3d988c2-7a7d-4c3c-9141-221b6550481e.filesusr.com/ugd/9dda13_ea29fd5e4ca84230a605739242b5ff95.pdf?index=true
    • https://18b62485-dce0-4e35-9712-b1d1f13fcb23.filesusr.com/ugd/296484_826033889ff64b9595226f40e2e25e82.pdf?index=true
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_5bf8b4029a054c529a245b1839cf5e8b.pdf?index=true
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_39a36e7c4beb4fb0a8441b0c8ae71c4b.pdf?index=true
    • https://6f8cb219-4830-455d-9ced-b55e65700e85.filesusr.com/ugd/fd30ac_43a8d792d6594ed2a5ad095ecf6c12e6.pdf?index=true
    • https://6c036dbd-b327-4678-b778-de8a2ee7bb50.filesusr.com/ugd/ed64d2_7c99649d77e74dcbb861301d926a393a.pdf?index=true
    • https://8d94caac-80d5-4f6d-a73a-04ed47837dc1.filesusr.com/ugd/585b1d_4948c2c4a5704aec9b40dac70e2900f0.pdf?index=true
    • https://55963656-6eb1-4b25-bcd5-bb835d65808b.filesusr.com/ugd/0064ae_a1dac830642a4690863d73fb0e7a2174.pdf?index=true
    • https://467375c7-a7a6-4806-a9b7-892c2a528f89.filesusr.com/ugd/911174_9e88acca160a4efa9ebab1401fd068aa.pdf?index=true
    • https://13a2bf7a-7930-4518-a7e6-737bf3c0aa4f.filesusr.com/ugd/f5c1a0_49e3ff051fac4b8e950f9acacd6c568b.pdf?index=true
    • https://bc5ba30c-e427-49eb-abc4-9677f18f04c1.filesusr.com/ugd/bcd086_477e8333cd2747c29fcffd3604f86483.pdf?index=true
    • https://c83cbd6e-a134-4b49-ba12-49f24c654ad9.filesusr.com/ugd/904a8b_3a1000f3931942f68cd21f9cc3e83362.pdf?index=true
    • https://5405d108-7f1e-482b-a10c-e06f62b7505d.filesusr.com/ugd/d941b1_dec0394a05ba4771a8f43edef6a482bf.pdf?index=true
    • https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_bd2ebbbdec2041f684e9f3c7933df6af.pdf?index=true
    • https://4c69d07c-928c-405f-a1ab-6436392658c4.filesusr.com/ugd/4c264d_ea4b4f3d252741b3a5cd9dd5075d7cc4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f758.bin
0b88bbfc714ae667e77dbba4d89e39826f0277088cc890d9d8afbc801ad693c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF758 5616 bytes
font_01_sfnt_off00010a6c.bin
22dc57cac58a21619c445adfc75c63f68dfdf9b2c4ac1cd764bd8fae287b4b71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A6C 10408 bytes
font_02_sfnt_off00012e0e.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E0E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.