Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5837f07e471b143…

MALICIOUS

PDF

92.3 KB Created: 2021-05-21 22:25:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 6a7c629d1759b6dec48f1b20d5a126e0 SHA-1: 7a9e9c69ad8dd9ad8bcc699102b801b6b0462c05 SHA-256: d5837f07e471b143835b54f705dcbd79d081193aae6b4f0a0c112b3633a516cc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. The ML classifier and ClamAV detection strongly indicate maliciousness. The PDF_URI heuristic identified an external URI pointing to 'botokaw.ru', which is likely the malicious payload delivery site. The document body, though heavily obfuscated, suggests a lure related to a '2004 infiniti g35 repair manual pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=2004+infiniti+g35+repair+manual+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4374196/normal_5fcddd2547799.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460055/normal_5fd8f70995eea.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/170ae776-fadc-41db-baaa-cb746cfca0c1/liniwewoxebewasegikakop.pdfIn PDF document text
    • https://s3.amazonaws.com/gonasidupij/blaupunkt_tv_blue_and_red_light_flashing.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b28d5944-e77a-4e90-9e6b-47d2664cdbcf/57859661361.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bd3aa171-bfb2-44bd-9250-d3ff2d9cb570/can_i_put_a_shorter_barrel_on_my_ar_15.pdfIn PDF document text
    • https://s3.amazonaws.com/gozilum/cuanto_mide_una_pulgada_en_mm.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac0d02c6-0e1b-4c6f-8052-9aca0d54c54a/fizuwoxe.pdfIn PDF document text
    • https://s3.amazonaws.com/wekibik/vetavikugumozulevotud.pdfIn PDF document text
    • https://s3.amazonaws.com/fuwawibu/coldplay_viva_la_vida_trumpet_sheet_music.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/adf6766b-d246-4c57-9fb4-37f89d9f14da/dozimugezeg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da6d9012-a440-46f5-b653-14e5292246a6/does_verizon_work_with_straight_talk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0e2f7bf-4d8f-4ec2-8ed9-bcb05a50b1cd/17572172810.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4943222-ead8-4475-820f-14c5d9cd4f6b/behind_closed_doors_book_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26a6c5a9-8e7a-44bb-ace5-9eb5f3d59152/los_crimenes_de_la_calle_morgue_resumen_edgar_allan_poe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f1e9a68-ab16-450f-8df2-d2005d98b18d/9417611836.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/19c64ab4-4827-4b7b-a1e1-4a0ed68e8d91/most_coldest_place_in_the_world_now.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/afb86ba4-9eb6-496b-9b1b-83ba840a2ef4/mojakutofipefososam.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4721f5cc-8824-4a8b-873b-1335a69701a7/zobamisepomapalomukidiw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1e53acf-2999-4ac2-a80b-0dfc86a617f4/axial_yeti_xl_kit_kaufen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1749d836-d8fd-4265-a133-637a8d445ce0/1533326970.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000128ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x128AD 5740 bytes
SHA-256: ba73f79a7e9bf168c3d59fe4c2c386b7dac591d7ca0e22fccefde4a342f1edba
font_01_sfnt_off00013c33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C33 11516 bytes
SHA-256: feef62d59af97e3f18279556c9ddba56c5b8acb5d8d28c7607206606aa51652e

Open this report in the interactive analyzer, or submit your own file for analysis.