Malicious PDF — malware analysis report

Static analysis result for SHA-256 e449e0520140e7c7…

MALICIOUS

PDF

93.0 KB Created: 2021-03-13 18:22:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d29cb653b0c7336eb1a111477fcb97fa SHA-1: 9ce67a53f968eb57904f6ed1a03664c2e99a8ea3 SHA-256: e449e0520140e7c73eb48deaf01341f06fea6d0c94efc264f75e4e9dd28cc2c8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URLs, such as 'https://botokaw.ru/wix?keyword=rotation+worksheet+with+answers+pdf', suggest a phishing or malware distribution lure disguised as a worksheet. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to trick users into visiting potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=rotation+worksheet+with+answers+pdf
    • http://lepavojag.22web.org/sandpani_vyavasthapan_in_marathi.pdf
    • http://nakidki-alkantara.xyz/what_are_the_best_quality_swiss_watches7zdin.pdf
    • http://vipmanmarket.space/24542301109oterb.pdf
    • http://life-news.tech/double_cross_worksheet_129glxxs.pdf
    • http://kovuguzi.22web.org/td_analyse_2.pdf
    • http://copyright-notice-ig.com/befakisasabizuvote0xwli.pdf
    • http://lajulufubugo.22web.org/vujebefevex.pdf
    • http://storezone.info/48325560509wu4u4.pdf
    • http://marinarus.space/5401491377eonz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_024cace50606411380aaaac5bcb467b2.pdf?index=true
    • http://radagosedapisat.epizy.com/pajuveteletiteti.pdf
    • http://bimivopi.epizy.com/62735250467.pdf
    • https://181f3bdf-810f-4c34-abb3-9f3362228cd6.filesusr.com/ugd/30415f_7c80c71c861d4ec89b4f207954ac52b5.pdf?index=true
    • http://pofulexurukuka.rf.gd/dezuter.pdf
    • http://jiditorugap.epizy.com/rich_dads_cashflow_quadrant_guide_to_financial_freedom_book.pdf
    • http://pakekaririwofas.rf.gd/death_in_the_afternoon_book.pdf
    • http://zosejanukapub.rf.gd/guinea_pig_petco_care_sheet.pdf
    • http://defizal.epizy.com/timomasuwake.pdf
    • http://dajurelelerasak.rf.gd/56544415952.pdf
    • https://aa3bb5c3-2bd4-4791-9e2a-6e31d5009b04.filesusr.com/ugd/60e703_8afeea696d894ad2b53b356da1d528d1.pdf?index=true
    • http://kovudefimure.rf.gd/jebanonuderabu.pdf
    • http://dimojeledogaru.epizy.com/adverbial_clause_list.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000125ae.bin
b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125AE 2828 bytes
font_01_sfnt_off00012fa9.bin
da3cd2dacfab03c87025076248801ea85e8a43cb1e57280ad8f7dcfed663b228		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FA9 5260 bytes
font_02_sfnt_off000141a5.bin
1316d2e70c447d21c250b598c6dc65504c710016d0ea805e03599c7aa0605a3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141A5 10216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.