Malicious PDF — malware analysis report

Static analysis result for SHA-256 c80b97405516140e…

MALICIOUS

PDF

80.2 KB Created: 2021-03-25 04:44:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ff7533bb00679b3217ea23dbd9bea62 SHA-1: da7eca26c53ea2d40fdaedf2a704bc53e7632a9e SHA-256: c80b97405516140e43594382e8196c3bb5ceeb3eb1a72321c0df798f7d4b2014
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. One prominent URL, 'https://botokaw.ru/award?keyword=alesis+performance+pad+manual+pdf', suggests a lure to disguise malicious intent. While no scripts were explicitly extracted, the PDF structure and the presence of multiple unknown URLs indicate a phishing or malware distribution attempt, likely leveraging embedded JavaScript for redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=alesis+performance+pad+manual+pdf
    • http://usesalon.xyz/determination_of_biological_oxygen_demandqszq6.pdf
    • https://fafapiponuge.weebly.com/uploads/1/3/4/6/134692005/7922537.pdf
    • http://datab.vip/how_to_cook_tamales_in_a_pressure_cooker0mnq2.pdf
    • http://daddytestit.xyz/how_to_set_up_g_shock_wr20bargn7op.pdf
    • https://zeteleginogegop.weebly.com/uploads/1/3/4/5/134526156/zudapoboxokajarevoli.pdf
    • https://tazokadenu.weebly.com/uploads/1/3/2/6/132695553/noxubewikewe.pdf
    • https://fewojejano.weebly.com/uploads/1/3/4/3/134348079/355561.pdf
    • https://tarutugiwom.weebly.com/uploads/1/3/5/3/135326066/b9db13b6f73c1.pdf
    • https://jajibesuwazigix.weebly.com/uploads/1/3/1/3/131383486/7823144.pdf
    • https://bajorenurelop.weebly.com/uploads/1/3/0/7/130739037/xagirigawatiriguj.pdf
    • http://skidki-day.site/32365041839fiahj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b3d61fee-c53b-4987-abf8-cf77c062e8ca/the_poetics_summary.pdf
    • https://uploads.strikinglycdn.com/files/159e24ca-0391-499a-bd0c-4daa559aa674/adding_and_subtracting_fractions_worksheets_with_unlike_denominators.pdf
    • https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_4611fe03a5294bd89eb4591c27f480df.pdf?index=true
    • https://s3.amazonaws.com/fosalizuzu/suffix_worksheet.pdf
    • https://s3.amazonaws.com/dewutexorob/best_apk_to_watch_anime_free.pdf
    • https://s3.amazonaws.com/sezewu/23995020980.pdf
    • https://3b87a2b8-2d13-4e6d-acc4-cbba57692a59.filesusr.com/ugd/50988c_8459898fd04f430a8db7bf405e454065.pdf?index=true
    • https://uploads.strikinglycdn.com/files/77f6fd60-7676-4616-9329-39b5f0bdd6e8/74325846769.pdf
    • https://77ac2d45-d533-4b4b-a85c-01e81860bff9.filesusr.com/ugd/7f1ad7_9a69f0df11d843a5baf4a7d63a96f9b1.pdf?index=true
    • https://68fdcf0a-b1f0-4758-9edf-48d2be6d990b.filesusr.com/ugd/ac51ce_ca4b45df7516415da8473cfd0ea3e912.pdf?index=true
    • https://s3.amazonaws.com/gowupuzokowuxes/geology_journal_guide_for_authors.pdf
    • https://uploads.strikinglycdn.com/files/9332ae3d-5270-4a51-b2ba-8abea9a34d0d/the_diffusion_of_innovation_theory_in_agriculture_was_given_by.pdf
    • https://uploads.strikinglycdn.com/files/cb031834-2bc6-4d76-a92c-8b60d2682cbf/will_there_be_a_2021_ford_mustang_gt.pdf
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_5c9412180b5345efaef9abb4a40956cc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8fd.bin
7300030f8d186759376d597937d59e4016846b6ade6e973dda3d345dd22d371f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8FD 5288 bytes
font_01_sfnt_off00010ae1.bin
22786e28d30e1223dd22d54610552aa871cc4fcf44e0fd10fa412642aaa76fa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AE1 11556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.