Malicious PDF — malware analysis report

Static analysis result for SHA-256 d88aa22885853eae…

MALICIOUS

PDF

79.4 KB Created: 2021-04-03 20:24:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05f049dbb0acb39e8634775e62988b09 SHA-1: 6aa8ac70d2d87957b3f80ebecbb1a77923923b33 SHA-256: d88aa22885853eaedfb841578683f69f4f6e9b5b57b5bd036d634666b961dc82
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'https://botokaw.ru/award?keyword=aruba+tourist+map+pdf', suggesting a phishing or malware delivery attempt disguised as a tourist map. No scripts were extracted, but the PDF structure and embedded URI are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=aruba+tourist+map+pdf
    • http://benivosefemiza.medianewsonline.com/cambio_climtico_causas_consecuencias_y_soluciones.pdf
    • https://cdn-cms.f-static.net/uploads/4420907/normal_604737994a075.pdf
    • https://cdn-cms.f-static.net/uploads/4393486/normal_6021e837c2232.pdf
    • http://pirojibanenuzi.getenjoyment.net/novena_de_navidad_tradicional_colombiana.pdf
    • http://vatetuda.scienceontheweb.net/fosenivu.pdf
    • https://static.s123-cdn-static.com/uploads/4370284/normal_5fe3bbbf48573.pdf
    • http://juxumigine.mypressonline.com/15660864502.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d5f90b07-39d5-43ad-9f3d-483e54820a5f/63294297589.pdf
    • https://uploads.strikinglycdn.com/files/a44f4656-9188-4e52-b626-f3ddd7db2325/judezizexatitaputodebe.pdf
    • https://uploads.strikinglycdn.com/files/df8d0b57-dfe9-4769-85b3-17f3ee34e45d/cause_and_effect_of_the_russian_revolution_worksheet_answers.pdf
    • http://fedonefekipide.myartsonline.com/calvarial_bone_graft.pdf
    • https://s3.amazonaws.com/kozewuposoridil/lujujanet.pdf
    • https://uploads.strikinglycdn.com/files/3117f944-844b-434b-b4fd-6e2bfc587cbf/nuzokewisusebazekesibu.pdf
    • https://uploads.strikinglycdn.com/files/7089541d-4018-4298-8f6a-a494ca6b1dbe/28155363932.pdf
    • https://s3.amazonaws.com/kafises/punctuation_practice_worksheets_with_answers.pdf
    • http://vujapoguxesak.myartsonline.com/65409252589.pdf
    • https://uploads.strikinglycdn.com/files/8b553537-8c91-4d37-96fe-18e0aaba1d5e/26572923657.pdf
    • http://fazaburifug.myartsonline.com/nelson_math_textbook_grade_7_online_answers.pdf
    • https://uploads.strikinglycdn.com/files/0387a35d-b72a-4f7a-8d1b-199e020950da/ap_biology_reading_guide_chapter_1_introduction_themes_in_the_study_of_life.pdf
    • https://uploads.strikinglycdn.com/files/521285bb-d81b-438a-a643-48decf40eabe/2919340690.pdf
    • https://uploads.strikinglycdn.com/files/dbd9afc5-6f91-44c4-bb98-291e6fcc3ba3/sexedovugajetopumikovag.pdf
    • https://uploads.strikinglycdn.com/files/aa4ddac6-1669-49fa-8b2d-4705034bcbff/mubavakapixibagunudufus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa65.bin
084d9b7e47ccc3a068a4da25d087f8d40facc7e0ac010debc6085005fee2ab8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA65 5284 bytes
font_01_sfnt_off00010c42.bin
95432188be071ee56ddfc560164e249b883ae9d9f16e7c8445c4ba63f496ef8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C42 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.