Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb094c05496610bf…

MALICIOUS

PDF

80.8 KB Created: 2021-03-24 16:03:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 322d322e17e1c0182ebd19584c6e532d SHA-1: b3ab7ffeeb1b32c280426ab5cdcde9e52d56ff3e SHA-256: eb094c05496610bfa6764de06495acf22be617da9f0b9035a4e8dd77eeaff684
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate the presence of external URIs and lures related to urgency and download buttons, suggesting a phishing or malware distribution attempt. The embedded URL https://botokaw.ru/strik?utm_term=hcg+2.0+protocol+food+list is a primary indicator of this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=hcg+2.0+protocol+food+list
    • https://cdn.sqhk.co/raxasumo/ughhjas/tamil_romantic_ringtones_2018.pdf
    • https://cdn.sqhk.co/mogudekusab/ajfZjhL/76436145953.pdf
    • http://biwedujurar.mywebcommunity.org/oxford_bookworms_library_stage_2_sherlock_holmes_short_stories.pdf
    • https://cdn.sqhk.co/zimopaji/hiaH8gj/elevator_room_escape_walkthrough_unity.pdf
    • http://budivev.scienceontheweb.net/the_card_sharper_s_daughter_summary_in.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://bc732cde-fb09-4fee-8ab5-c82a45a1131b.filesusr.com/ugd/2ac701_30a6b111dd0f4a769adf53363f6dc876.pdf?index=true
    • http://bojepudadadax.atwebpages.com/83026753643.pdf
    • https://s3.amazonaws.com/kiguteperilodu/74170205864.pdf
    • https://uploads.strikinglycdn.com/files/d09a2f21-1a01-4dd5-9dbf-51fa4ef9104c/21120210544.pdf
    • https://uploads.strikinglycdn.com/files/3789c255-b1d0-4153-80a0-cba464056f42/wutikejajujumomiv.pdf
    • https://uploads.strikinglycdn.com/files/f528ae91-c7b7-42d1-94be-53ca51504bf9/how_much_does_cyberpunk_2077_cost_to_make.pdf
    • https://ba10d46a-d7c1-43af-8542-f1a50f31aa8a.filesusr.com/ugd/4dded2_e4cff77c904d4acebd583f879afc92c5.pdf?index=true
    • http://sajoveguduv.onlinewebshop.net/apartment_therapy_s_big_book_of_small_cool_spaces.pdf
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_a3d2c997f0de413a8ac92ddca2ef993d.pdf?index=true
    • https://s3.amazonaws.com/gapivegek/voxogafidojumitemir.pdf
    • https://adea4596-07c4-4c45-ba97-107779ed6dc5.filesusr.com/ugd/5bd9e2_d812cd3ceee544949676f7027ca51c0b.pdf?index=true
    • https://0b21792c-a699-4cf4-8833-5910c6ad58af.filesusr.com/ugd/b0b521_5173e5cb409248eeafa5ce4340146eb8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e725.bin
cf039da1d493b5b9d4ad8ff2a16fa133184d4d207ae2ac1a9a643032b634986f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE725 4944 bytes
font_01_sfnt_off0000f803.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF803 1800 bytes
font_02_sfnt_off00010090.bin
1f7103b94666815a20614fb927006e9c111c972c7e9b6d1dc814138e215b25a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10090 11112 bytes
font_03_sfnt_off00012651.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12651 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.