Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6f8716ae20fc308…

MALICIOUS

PDF

82.8 KB Created: 2021-03-10 16:58:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ff015a1c074c24a03908ae7d9913b88 SHA-1: 52d0d1d7b26c1a4e228b0ec6f2d00e035b50949b SHA-256: d6f8716ae20fc3080ae5691bee747301acba63441fdcbf5960eb6756b7734824
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for PDF_SEO_LINK_FARM, indicating it hosts a large number of external links, with the primary suspicious URL being https://botokaw.ru/award. This suggests the document is designed to drive traffic to potentially malicious sites. ClamAV also detected it as Pdf.Phishing.Trojan, reinforcing its malicious nature. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=frases+verbales+en+ingles+lista+pdf
    • http://jasovawuke.22web.org/abduction_movie_hd.pdf
    • https://regifedemez.weebly.com/uploads/1/3/1/4/131406591/de63175dac6f.pdf
    • https://tibiwoxot.weebly.com/uploads/1/3/4/8/134881218/manoxoduke.pdf
    • https://wudusalulolatus.weebly.com/uploads/1/3/1/6/131606476/wavamujejir-rigupizoze-bezuvas.pdf
    • https://segamovav.weebly.com/uploads/1/3/4/8/134892249/a276b.pdf
    • https://vovamujif.weebly.com/uploads/1/3/5/3/135318660/zodexedogoke.pdf
    • https://cdn-cms.f-static.net/uploads/4469847/normal_6036885673aa8.pdf
    • https://cdn-cms.f-static.net/uploads/4443594/normal_602b83a81e8b2.pdf
    • https://cdn-cms.f-static.net/uploads/4457005/normal_60113648b408b.pdf
    • http://dubiniba.iblogger.org/donenugawuviralugosej.pdf
    • https://cdn-cms.f-static.net/uploads/4391340/normal_60164bb0f30da.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/164fbb1d-ddd3-4646-8b98-2c19785919bf/foxfire_45th_anniversary_book.pdf
    • https://s3.amazonaws.com/figugipopar/hse_accident_incident_report_form.pdf
    • https://f635e5d9-31b1-4f19-b758-7a623be10181.filesusr.com/ugd/6cf0f5_b0c78df545ea402381158d94034d968a.pdf?index=true
    • http://rudavuvubizuz.rf.gd/fulifugeretedesaj.pdf
    • https://3c199e1c-ff83-4553-a351-db1e9419129c.filesusr.com/ugd/424a74_20e8e94fe8cd4c82bee8127825347ec1.pdf?index=true
    • https://4c982f7a-b72b-446d-8c7a-5e2d6818c0db.filesusr.com/ugd/519a61_c22902595b894300b750163de7c1504e.pdf?index=true
    • https://9a0a871b-8e2f-49f6-9974-0c782d670dff.filesusr.com/ugd/f9d4cd_7055a3a705f94d26860a9b7c955ef5e6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6b006cf2-458f-4b3e-a071-df1127881dba/lanipudosixamezuzevifon.pdf
    • https://uploads.strikinglycdn.com/files/333f2c2c-a149-4b4c-bbcd-0240f1f20eec/kobagafanumovugorugug.pdf
    • https://uploads.strikinglycdn.com/files/06ef008a-1e1d-4e1e-8e98-d3936987e1d1/what_is_the_function_of_coefficients_in_a_chemical_equation.pdf
    • https://s3.amazonaws.com/zepifudoxapo/berea_technical_college_application_form_2018.pdf
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_5486ad3b644949cb8e3cdf734d3c5f86.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e754.bin
d13a9adb33903763a469c831a91b73c9bf5ae5d3b42d5da88a650e749d2d2a4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE754 5364 bytes
font_01_sfnt_off0000f9a2.bin
a27e74bba6451c6b1c5b6f7f1052fb5f275af44e9fe0577c7c59e5546291bf85		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9A2 15320 bytes
font_02_sfnt_off000126a7.bin
07791bca69a51c448797d99ef1d903fbbca61cac79fb526a114da19d02886c03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126A7 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.