Malicious PDF — malware analysis report

Static analysis result for SHA-256 c72bb10f3cc8bc0a…

MALICIOUS

PDF

99.9 KB Created: 2021-05-17 04:42:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1f3c6fdc53aea3d38c246628e731fe6 SHA-1: 9e3a669495deca00d7f88630db0a972a127f7182 SHA-256: c72bb10f3cc8bc0a47de132f1251a8fb75f6a695844a57b3baea89bdeb32e866
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many pointing to PDF files, suggesting a link farm or SEO poisoning attempt. One of the primary URLs, 'https://botokaw.ru/strik?utm_term=sap+hana+free+tutorials', is likely the intended destination for users, possibly to download further malicious content or engage in phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=sap+hana+free+tutorials
    • https://wojipinokogax.weebly.com/uploads/1/3/4/8/134863097/wazur-liradig-lemuxi.pdf
    • https://wesikuwufo.weebly.com/uploads/1/3/4/6/134647185/a7186f8dc23c.pdf
    • https://mazefitarunakur.weebly.com/uploads/1/3/1/4/131453858/runipujobo_boxaxokoxunago_wuxiwu_femerivofadid.pdf
    • https://tedotedonux.weebly.com/uploads/1/3/0/7/130775879/zawok.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://01d67eed-50ba-4ccb-8f82-c1581f7ed07e.filesusr.com/ugd/e3325f_52e0a0195f0e458198d1d4cf5cc01c47.pdf?index=true
    • https://e3e1c2aa-7f41-47b0-8c2f-d823cb48b857.filesusr.com/ugd/7598fa_a2d25268be604b2d92fe6509516d087c.pdf?index=true
    • https://2987c0f4-171e-4473-b3f1-a5468658115b.filesusr.com/ugd/75ff8a_cca6fd8c5bbd4d0184eeb1602905c8ef.pdf?index=true
    • https://0306adf0-382e-42f1-903d-71c3961c97f1.filesusr.com/ugd/7ff653_20fab56d674b4cb0a64dce3c232cefe0.pdf?index=true
    • https://s3.amazonaws.com/dobesogum/drupal_7_template._php_tutorial.pdf
    • https://s3.amazonaws.com/kakekojezutok/bibuninun.pdf
    • https://uploads.strikinglycdn.com/files/aa65711b-95fa-45de-8ca4-7632b0f46446/18821846066.pdf
    • https://uploads.strikinglycdn.com/files/97276a95-c105-43ce-855d-0b28eacf6a6a/what_does_i_spy_with_my_little_eye_mean.pdf
    • https://uploads.strikinglycdn.com/files/cb8aa681-279a-49a2-b87c-74500224aa16/solving_systems_of_quadratic_inequalities_by_graphing_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/7f5059b1-2020-48ed-9cf1-0e1a57a26eb1/sevites.pdf
    • https://s3.amazonaws.com/voropa/fozebopasodisukozikim.pdf
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_a6991ddea75a463392562e143269bc72.pdf?index=true
    • https://s3.amazonaws.com/lumixi/53993903963.pdf
    • https://uploads.strikinglycdn.com/files/edbd5c0c-40bc-49f6-a487-6df5f39b1418/washington_post_games_page.pdf
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_27b72f3d73524728beaa63928c891d43.pdf?index=true
    • https://uploads.strikinglycdn.com/files/821953bd-0a78-438e-9941-b489d23debd2/mbti_test_reliable.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012a0b.bin
e81793d6bb97214d4508ef70de7d15822e1b81711c4bedf7f8f7801138e68862		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A0B 5092 bytes
font_01_sfnt_off00013b4d.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B4D 1800 bytes
font_02_sfnt_off000143db.bin
24044ae9d4b7340eb5387de7ee56a4c019560a0dc4b56cbc9aaf8e91d1db35b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143DB 12436 bytes
font_03_sfnt_off00016d19.bin
5b0d2701ab39d2f69c66d7d16c60d8db0b323aa0832947137e757b5401d27330		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16D19 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.