Malicious PDF — malware analysis report

Static analysis result for SHA-256 eebe8fe692525c73…

MALICIOUS

PDF

82.6 KB Created: 2021-03-18 21:51:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b487d99ed01f58e609deba2499120f9 SHA-1: dee8a2e415c0d7fe2a69ae748dc942b516ea75a8 SHA-256: eebe8fe692525c731a04c6eaa83792267f1da2f1e46c3b0ab45c6f93fe75c3ec
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains metadata suggesting it's a PDF generated by wkhtmltopdf, and the presence of an embedded URI pointing to 'botokaw.ru' strongly suggests a phishing or malware distribution attempt. No scripts were extracted, but the embedded URI is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=application+letter+for+employment+template+pdf
    • https://cdn.sqhk.co/futevanu/jcgfhjx/legendarni_tytani_gra.pdf
    • https://cdn.sqhk.co/pedidagow/dausDha/91490732471.pdf
    • http://eurozone.pro/driving_zone_russia_mod_apk_download1nn11.pdf
    • http://italystore.pro/kegibuneje3wezg.pdf
    • http://fly-drive.online/76576927658y3669.pdf
    • http://resimpub.com/wonemakowuvavivepbch.pdf
    • http://esclub.pro/guveziripotaxur8t7im.pdf
    • http://shop-kid-toys.online/389521089lqmjt.pdf
    • http://secureappeal.com/uk_police_ranks_military_equivalent73qlj.pdf
    • https://cdn.sqhk.co/sejejajoxej/yidifjf/92154701782.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jozetej/kigijuselowebuwuxorapow.pdf
    • https://uploads.strikinglycdn.com/files/944700cf-8d3e-4dff-ad0b-804362497449/6961240728.pdf
    • https://737bf953-b780-43bc-8af0-312ed5328a40.filesusr.com/ugd/017c44_e58df18e6b6c4e73ad6fa31634df304e.pdf?index=true
    • https://s3.amazonaws.com/mibiwivanetuj/76739672834.pdf
    • https://5862e4ea-63a6-4c92-af93-e06d02d1a664.filesusr.com/ugd/eaa371_6685c85bf3e44b3d9db6845a585d26f5.pdf?index=true
    • https://s3.amazonaws.com/samopakamefap/baumer_og_73_un_1024.pdf
    • https://uploads.strikinglycdn.com/files/bf92a471-677a-4009-8b3d-84f1e3f64cae/the_blue_book_of_grammar_and_punctuation_eleventh_edition.pdf
    • https://507d1b22-ea03-4061-a262-f79425337ca2.filesusr.com/ugd/a374b9_38235d8f891e4a159f225690fcd231de.pdf?index=true
    • https://42172c5f-463d-425f-bc49-3536d5e9b788.filesusr.com/ugd/3e9aab_e1049d45d6624ecea5a4a0c3c2eedcfe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbdd1c44-f31f-4098-8643-4d908c30595d/maze_runner_scorch_trials_streaming.pdf
    • https://7fc1e5b2-1dd8-4457-9de2-3dea1ab9f589.filesusr.com/ugd/fedd61_a0107332fad44211bf8ba3ee02756ad6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001075f.bin
906d1161b68dad3b791a7a05cfffe3d214bc27191705d42d72bb80ee200e9a9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1075F 5212 bytes
font_01_sfnt_off00011914.bin
09d8decb4ee9b0efa157cd8d8e0989f6319aab51f6e874020ea798b7e00f8a1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11914 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.