Malicious PDF — malware analysis report

Static analysis result for SHA-256 06d6b333950606d1…

MALICIOUS

PDF

75.1 KB Created: 2021-04-26 20:17:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1bbb4e0e0163f42785ec58746ac3ce2e SHA-1: 2c18191a2fc68e7cf36fd77887fcfa539bcc124e SHA-256: 06d6b333950606d126d21d25c2f568c01933bbfed6db599b9280ae4b66f640b2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which point to PDF files hosted on file-sharing services, suggesting a link farm or phishing campaign. The primary URL, https://ponafet.ru/strik, is likely used to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=los+juegos+del+hambre+1+pelicula+pelisplus
    • https://nakalefa.weebly.com/uploads/1/3/4/5/134522788/86577.pdf
    • https://golotarati.weebly.com/uploads/1/3/1/8/131856611/kunasosazaf.pdf
    • https://miwijefovutifim.weebly.com/uploads/1/3/5/3/135316182/c400566.pdf
    • https://tejikapor.weebly.com/uploads/1/3/1/3/131382395/lavonedabodugil.pdf
    • https://ruwiderok.weebly.com/uploads/1/3/4/8/134891429/vewexonije.pdf
    • https://cdn-cms.f-static.net/uploads/4491686/normal_604d40b9c6076.pdf
    • https://posuzelivoj.weebly.com/uploads/1/3/4/8/134869480/madumesini.pdf
    • https://fizinizaboz.weebly.com/uploads/1/3/5/3/135304720/9825690.pdf
    • https://cdn-cms.f-static.net/uploads/4455180/normal_60366c861f57c.pdf
    • https://static.s123-cdn-static.com/uploads/4409394/normal_5fc56d5745853.pdf
    • https://cdn-cms.f-static.net/uploads/4375087/normal_603c03faeab08.pdf
    • https://cdn-cms.f-static.net/uploads/4490974/normal_600a1ff13a429.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_39c21422b476469fbe6cea4b5a8dc31a.pdf?index=true
    • https://s3.amazonaws.com/jazuravazaguz/epc_full_form_related_to_b._ed.pdf
    • https://f98f40d2-b649-4e6b-99af-b89bbf2331ff.filesusr.com/ugd/724bd4_ab013507733e4edc951000e9154a772c.pdf?index=true
    • https://063758de-fb2f-4258-809e-b727485bfd5a.filesusr.com/ugd/89cda4_cee839b9e6c349f6afd3c931016994f6.pdf?index=true
    • https://67bb8873-ca08-4da4-87c0-60a8072ebff6.filesusr.com/ugd/a838c0_ad970c4d12854134af8bcb05c38c5253.pdf?index=true
    • https://c1bbde11-5cda-4f7c-8b74-b2fe90b484f5.filesusr.com/ugd/1c8c6c_a27c424da77f440784ada7e40b86c1db.pdf?index=true
    • https://s3.amazonaws.com/fasomusogapovi/cronbach_s_alpha_spss_free.pdf
    • https://7a1f2a0d-094a-4466-88af-72a4af93b9fa.filesusr.com/ugd/22739b_780a2a2e7a1c477a82e621b4277cc72a.pdf?index=true
    • https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_27d8838254cd46f48642ac17adc59166.pdf?index=true
    • https://87098103-4d08-48bb-90a6-807b0ef734b2.filesusr.com/ugd/1f49de_ef6b72fdb290403fa476c45e7404ba14.pdf?index=true
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_eea0bc3cb0034ba7af54014ae8b03c7a.pdf?index=true
    • https://068ba8bc-08b0-4b68-8151-f3c59c7a5775.filesusr.com/ugd/5a4aad_a0d1f607879c4c18a8a71bdabd7b0db9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e39e.bin
cff3cdfa7a0278a64ec3777429d9d712e480d8c5fd97040110f285fdd36737fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE39E 5696 bytes
font_01_sfnt_off0000f6d3.bin
869629b8f387d8236a1f7f4a1b0ec76ba170cc2cc3a1df0f9caa0b486d711d8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D3 11664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.