Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb85b44de9390a1c…

MALICIOUS

PDF

88.7 KB Created: 2021-03-16 11:03:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f24a8cc7c1c7ee6fe0e3fc6ee374c68 SHA-1: 750b851b0987a2b93975ccf055fa4baebff6e5ff SHA-256: fb85b44de9390a1c2b04f563dd6a891cf9773e6f7cc80d29d262bff12d850260
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. One of the extracted URLs, 'https://botokaw.ru/123?utm_term=i+hate+my+google+feud+answers+2018', is particularly suspicious and likely leads to a phishing or malware distribution site. No scripts were extracted, but the PDF structure itself is designed to redirect users to external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=i+hate+my+google+feud+answers+2018
    • https://tulosiwawi.weebly.com/uploads/1/3/5/3/135326734/vatipanisolalum.pdf
    • https://static.s123-cdn-static.com/uploads/4449771/normal_5fecb2b803c5a.pdf
    • https://jizirazizeki.weebly.com/uploads/1/3/4/5/134509590/cda5d5fe1670fd.pdf
    • https://tidumexuxuzi.weebly.com/uploads/1/3/1/0/131071252/pumosefirusodemeju.pdf
    • https://falojabuvo.weebly.com/uploads/1/3/4/7/134774067/nagepaneme_lifelovajibetot_fojaji_dikuxejuzoju.pdf
    • https://cdn-cms.f-static.net/uploads/4366312/normal_60420564b7b29.pdf
    • https://wilaruxade.weebly.com/uploads/1/3/4/8/134865150/zugopiladedej.pdf
    • https://cdn-cms.f-static.net/uploads/4480591/normal_605053ecb0b99.pdf
    • http://zonizubiro.getenjoyment.net/nobulepewozonex.pdf
    • https://lilonukile.weebly.com/uploads/1/3/4/7/134767916/butozumozako_kuxudapemavuvu_gigapedizobe_xagixepus.pdf
    • http://dorutote.scienceontheweb.net/jasuvukigivuzavuregikud.pdf
    • https://nugukijozagesek.weebly.com/uploads/1/3/0/7/130739433/dizimijo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d8acad56-eb9a-42d1-a06c-a695c5b02328.filesusr.com/ugd/0ad6c7_4be1d3da3f194115b8cb83eb6b833041.pdf?index=true
    • https://96a9e3af-f0c3-4048-9e6c-0ad8da3c6018.filesusr.com/ugd/15d534_8c8d875ef0f84666a5d4d9913a764010.pdf?index=true
    • https://9334512a-4df1-45dc-8804-f0fa1d9e2a3d.filesusr.com/ugd/9466eb_78473fa9f4ca495b9f647584796b8ffb.pdf?index=true
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_2a9459d9172d47639eab41526a46a832.pdf?index=true
    • http://lexamokoxerum.atwebpages.com/bawazerozukowagax.pdf
    • https://88bec3ce-9cdd-4818-a95b-bcf8ac49d1e7.filesusr.com/ugd/72df48_355770c5c512453eb66e595d6146b327.pdf?index=true
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_4e0543e74c484fc0ba4f6d941ea1224b.pdf?index=true
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_7c3cae8036a64b6fb7267fee3c49fabe.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001137a.bin
5fafc965ca771a1c340c5fe53457ad6bb05aac9a7ae7b46a697c45ed150af8a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1137A 5972 bytes
font_01_sfnt_off000127c1.bin
f016711a38eb0fbada2a1ebc1a9ac4db38a297a49881cc9ca159091fcca25f2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127C1 13608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.