Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d2ed4074d7bf84…

MALICIOUS

PDF

115.6 KB Created: 2021-03-22 18:14:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1848c445c41f87b9fd553bd4c22a1d97 SHA-1: 2b649652378c38529f1756c996eff74bdbf64b24 SHA-256: e5d2ed4074d7bf84131fc90309debe10c35097da81d2de542d336b2f58b3fe55
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic flagging it as a 'PDF_SEO_LINK_FARM'. One prominent URL, 'https://botokaw.ru/wix?keyword=discord+private+message+bot', is suspicious and likely leads to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=discord+private+message+bot
    • https://cdn-cms.f-static.net/uploads/4411252/normal_6039d4ad9d26f.pdf
    • https://cdn-cms.f-static.net/uploads/4489245/normal_5fda3a27c3ce2.pdf
    • https://cdn-cms.f-static.net/uploads/4408184/normal_6016d8c60dcd4.pdf
    • https://cdn-cms.f-static.net/uploads/4426257/normal_6019306d41c9c.pdf
    • https://static.s123-cdn-static.com/uploads/4382948/normal_5fcb41bb99396.pdf
    • https://static.s123-cdn-static.com/uploads/4450907/normal_6001b8a1c9f7b.pdf
    • https://cdn-cms.f-static.net/uploads/4465400/normal_600f227319538.pdf
    • https://static.s123-cdn-static.com/uploads/4378599/normal_5fefd458f0956.pdf
    • https://static.s123-cdn-static.com/uploads/4493578/normal_5fff330ca94cf.pdf
    • http://xokezuwadem.mygamesonline.org/what_is_the_purpose_of_a_flammable_cabinet.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/918de6e7-e235-4a70-8baf-2a53a1ef92eb/57951579735.pdf
    • http://koradanizepagow.myartsonline.com/auto_page_break_in_jspdf.pdf
    • https://uploads.strikinglycdn.com/files/9c0b19a4-6f86-4b84-960e-6cd4cdef3878/ensayo_de_la_carta_a_garcia.pdf
    • http://bitenozof.atwebpages.com/chromatography_articles.pdf
    • https://uploads.strikinglycdn.com/files/71fc4afb-40fe-499f-a187-e77e9132c2f7/73713057828.pdf
    • https://uploads.strikinglycdn.com/files/7377b412-2cc5-4391-9b49-11799454cb30/95297272736.pdf
    • https://uploads.strikinglycdn.com/files/b3cc3b78-1bba-413f-9e83-de58e9392bf1/87600312579.pdf
    • https://uploads.strikinglycdn.com/files/6f00a4f7-425f-4b72-a5f1-642072d6fc8c/sowiduba.pdf
    • https://uploads.strikinglycdn.com/files/89fae4be-cc6e-474e-8144-aa5e27b08638/matrixyl_3000_serum_side_effects.pdf
    • https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_eb1d225fac3642008d48d0aa6df23672.pdf?index=true
    • https://uploads.strikinglycdn.com/files/008115a3-74db-433e-9027-7994c19c18c7/shadow_and_bone_book_1_read_online.pdf
    • https://ae0ecf71-49bb-4ac4-bba4-d0f2a20d1af9.filesusr.com/ugd/668a47_07a1c41aec0a42a49bd3abdb62fe1761.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000134cc.bin
91838cdcd5e0aafc5bf0af0349e66d06387e1551d24a013491c16510681f740e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134CC 6424 bytes
font_01_sfnt_off000144ae.bin
a516719a68ba44dc77db52a25e00999f9cda796afe69649d7bda1172f440f960		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144AE 5560 bytes
font_02_sfnt_off00015782.bin
f227e63505ca4eb3671b69aa0bff75929c62225e94ac5eec41c6e34824be4fa2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15782 9032 bytes
font_03_sfnt_off00017645.bin
58a59a93b0225f06835801ab2f083439b25e7398b7ec6e8d32b8632d40ae9a8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17645 12164 bytes
font_04_sfnt_off00019fe5.bin
e41c5e05340827030a685f3236fb67c03695a810029c96649f4221d730425185		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19FE5 17016 bytes
font_05_sfnt_off0001b7f9.bin
551918360585b1590efa6fd2a215345b2f702067d151a0e4b48cfa7490b57960		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B7F9 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.