PDF malware analysis — malicious · d62ef1f7ae4dfaa2

MALICIOUS

PDF

83.3 KB Created: 2021-05-21 02:53:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13

MD5: a04d6fe332314a05169d563ce16b9390 SHA-1: 557eda1f9ee0e961acfe2d067a602ef5cc40b9b8 SHA-256: d62ef1f7ae4dfaa23ebd227e4e007b97f5cf009335300fa5366c4594bdb08706

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are likely part of a link farm or phishing attempt, as indicated by the PDF_SEO_LINK_FARM heuristic. The primary malicious URL identified is https://botokaw.ru/strik. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://botokaw.ru/strik?utm_term=kuch+kuch+hota+hai+full+movie+bangla+subtitle PDF link annotation
- https://getariko.weebly.com/uploads/1/3/4/9/134904460/julatikem.pdfIn PDF document text
- https://fidimamafiw.weebly.com/uploads/1/3/4/6/134624465/pofox.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450046/normal_6027a3f79068e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426262/normal_5fd62e28cc10a.pdfIn PDF document text
- https://latobebesat.weebly.com/uploads/1/3/5/9/135993630/2006196.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366652/normal_60549286e663d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426697/normal_6020531a5ae49.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464877/normal_606d660769db4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/501d79ca-a057-439e-af06-7dd8f757d093/roomba_870_review.pdfIn PDF document text
- https://s3.amazonaws.com/zaxawetawupo/63846677507.pdfIn PDF document text
- https://s3.amazonaws.com/fosalizuzu/wotewaze.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/65b860d0-77fa-43f0-bfa8-93284853d99b/gnostic_bible_scriptures.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a189adce-a631-489d-9548-51e3f5190803/what_is_my_race_if_im_white_american.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/38fc65f5-1aff-4436-87cc-9e355f357ec2/gramatica_a_present_tense_of_irregular_yo_verbs_page_102_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/10cdf241-7e44-4892-86b6-99aa181bc3c6/how_to_use_kindle_lending_library.pdfIn PDF document text
- https://s3.amazonaws.com/zatasipezeg/how_to_calibrate_vivint_element_thermostat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/014db9ad-a76f-49ce-8a80-06bc220c1125/data_security_tips_for_employees.pdfIn PDF document text
- https://s3.amazonaws.com/remavuj/comptia_security_guide_to_network_security_fundamentals_6th_edition_publisher_cengage_learning_2017.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb25b41c-0110-49c9-b740-89922e6b4f9d/los_cuatro_acuerdos_doctor_miguel_ruiz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b6199651-e68d-4697-acc1-7a66381ff51d/how_to_self_clean_my_ge_oven.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d79dcdb0-1817-4de1-bf97-67acbd207b46/can_you_renew_your_ny_drivers_license_online.pdfIn PDF document text
- https://s3.amazonaws.com/netinuwa/evidence_of_a_chemical_reaction_lab_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2a5af9f8-c556-4823-9047-5b41e140a511/lightning_thief_book_chapter_2.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001066a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1066A	5432 bytes
SHA-256: `2b7adcf9ace204bb23d078f6e0561515942e5c4b80646786a6edc73c63660f3c`
`font_01_sfnt_off000118d7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x118D7	10832 bytes
SHA-256: `28c41758d577a79ff7bbabff873c10d99d19ece32528f9b748c4321aad481f57`

Open this report in the interactive analyzer, or submit your own file for analysis.