Malicious PDF — malware analysis report

Static analysis result for SHA-256 f76648388a800939…

MALICIOUS

PDF

77.0 KB Created: 2021-03-28 18:25:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8aa874418114b36cfc547534861c19e9 SHA-1: 2e97cb0ec1048433b5b4583df12e822ce8045fc6 SHA-256: f76648388a8009396c7a236d3f832e8c29917583c7d2bab6236a80cf411cb123
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting a link farm or redirection mechanism. The primary URL, https://botokaw.ru/123?utm_term=calendario+serie+a+pdf+2018%252F+19, is likely used to direct users to a malicious site. No scripts were extracted, but the PDF structure and numerous external links point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=calendario+serie+a+pdf+2018%252F+19
    • https://cdn-cms.f-static.net/uploads/4458150/normal_5fe68baa1128f.pdf
    • https://cdn-cms.f-static.net/uploads/4368225/normal_603b5f5885a23.pdf
    • https://cdn-cms.f-static.net/uploads/4405922/normal_6056857c529fe.pdf
    • https://cdn-cms.f-static.net/uploads/4375342/normal_6047a41785459.pdf
    • https://static.s123-cdn-static.com/uploads/4485587/normal_60084b225b657.pdf
    • http://tedamowajowiw.22web.org/final_fantasy_xiv_a_realm_reborn_gameplay_ps4.pdf
    • http://bevibopo.22web.org/carrom_board_rules_and_regulations.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e58c60e6-0cf4-402e-860f-a6162fd4de04/how_to_adjust_schwinn_ic4.pdf
    • http://favagapararo.epizy.com/sample_argumentative_essay.pdf
    • https://5634f520-c25d-421d-ab67-3d94505d13cb.filesusr.com/ugd/1b85ab_8349c9abf8064e769a94fb728c2a83bf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/772635cb-db8a-4864-8c02-ca76cbde5933/what_is_meant_by_the_term_upward_spiral.pdf
    • https://uploads.strikinglycdn.com/files/9e96d3af-b50c-4bb9-afe0-3cced0f2cbd0/how_to_apply_wall_art_stickers.pdf
    • https://uploads.strikinglycdn.com/files/776a30e9-450a-4cd6-a9c3-e4f96e027cce/bimupovuxozomote.pdf
    • https://uploads.strikinglycdn.com/files/01ec729c-aa9c-4e09-8b45-4881517be18a/40022970538.pdf
    • http://xofenilar.epizy.com/45407832316.pdf
    • http://mafasegu.epizy.com/bhangra_video_hd.pdf
    • http://vetuvadoxawiton.epizy.com/nopegafin.pdf
    • http://tenowuwewid.epizy.com/mobimisilufadugegilewuk.pdf
    • https://77da94c0-0f0a-445b-87af-e489a0b5ef66.filesusr.com/ugd/db1da1_69274ae9b03c4d4c83869874421f5c6f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/48dbb172-566a-4989-8c17-20e3178baad7/74652329462.pdf
    • http://nomekerileme.epizy.com/70797985184.pdf
    • https://uploads.strikinglycdn.com/files/90015dec-f8ad-48d2-8dc4-577b699ee7b3/how_to_unclog_glacier_bay_toilet.pdf
    • http://jezawirigi.epizy.com/92963463585.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9e1.bin
1560e8d04e5b02bb4f8b31ea4b171de747fe05d783e84166d4e758d274e93af3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9E1 5652 bytes
font_01_sfnt_off0000fd27.bin
9cae2ffff245b068ff067f3edefb23f47ad606299206f250b48bcf0c06dee139		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD27 13076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.