Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d0d1d1dc5396d6c…

MALICIOUS

PDF

74.6 KB Created: 2021-03-25 16:02:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e150146aba57de163200057ac5371b7 SHA-1: d33e01d313216a52f3bda1c9943a1bf8317c7958 SHA-256: 0d0d1d1dc5396d6c3a40a496ac9233c798f7e3e5968aad86c3b5beb117e2fe4f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier with high confidence. It contains numerous external links, with one suspicious URL pointing to 'ponafet.ru'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to manipulate search results or distribute malicious content. While no scripts were explicitly extracted, the nature of the links and the detection names suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=golongan+anti+jamur+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9cf5cc10-3c2e-4e30-ae6b-73ed7beed88a.filesusr.com/ugd/5c2b46_97135cae03024e18b0c91efe6cdecf0f.pdf?index=true
    • https://s3.amazonaws.com/jijari/dryer_sheets_to_remove_deodorant_stains.pdf
    • https://s3.amazonaws.com/tokatefozude/manual_de_urbanidad_y_buenas_costumbres_de_manuel_antonio_carreo.pdf
    • https://s3.amazonaws.com/pukaridimupo/sevegiwugabeleluxes.pdf
    • https://uploads.strikinglycdn.com/files/cc377dfe-875e-4b51-8e2a-6ee309171fc0/24066293050.pdf
    • https://s3.amazonaws.com/devuxuzejozam/my_iphone_automatically_answers_calls.pdf
    • https://7e6b698e-d56f-4a21-8c48-787e2f6d39f4.filesusr.com/ugd/7836c9_0222326630524abbbf44a60848049a2e.pdf?index=true
    • https://s3.amazonaws.com/bisapovepizaj/windows_7_microsoft_free.pdf
    • https://0296ecfc-28ae-4fa5-925c-67a25994cace.filesusr.com/ugd/c88839_df4ce1acce7c470a84f2ded691f7a84d.pdf?index=true
    • http://jizonizop.rf.gd/jivujiruzavizoposamozeg.pdf
    • http://sumemefa.rf.gd/how_to_get_car_started_with_low_battery.pdf
    • http://wejelinemadagep.rf.gd/free_fashion_logo_design_templates.pdf
    • https://ad858f6a-7bbb-416d-9365-e04d7986ed9b.filesusr.com/ugd/3c9ac1_09a8c413cdd5426aa12fd349b3d574a7.pdf?index=true
    • https://s3.amazonaws.com/dikomavomem/sirekora.pdf
    • https://s3.amazonaws.com/wifiduxezo/what_happens_when_your_rental_lease_expires.pdf
    • https://uploads.strikinglycdn.com/files/127eeaca-c5a0-475e-9599-f51ec16f5d51/night_owl_security_cameras_setup.pdf
    • https://uploads.strikinglycdn.com/files/db8c76ca-cd1c-4b35-af01-2bb187122fd0/liber_null_audiobook.pdf
    • http://xofowizo.epizy.com/86802143691.pdf
    • https://874c0fd6-92eb-497b-905f-dc7ca4d2e287.filesusr.com/ugd/5ca7d4_1ce0195db0f94b0b823b9afa10fbdfbe.pdf?index=true
    • https://s3.amazonaws.com/teximikamukubo/57731988543.pdf
    • https://uploads.strikinglycdn.com/files/d93087c6-6063-473d-a075-bb5a5ce610de/girl_with_the_dragon_tattoo_guardian_review.pdf
    • https://17a6c5a8-0587-4adf-8126-5b439e15a62f.filesusr.com/ugd/54bec1_f529ba7802b343989c2b12749b199dea.pdf?index=true
    • https://s3.amazonaws.com/lerezazo/lagu_betrayed_avenged_sevenfold.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e904.bin
3edec4d4fc12d6930a1b34c21b51b4a4174a10bd8b444d32ce34c9fc2888c87d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE904 5288 bytes
font_01_sfnt_off0000faf8.bin
68e507ce3b6f7fd49137a00355410be482533fa0c351408a6835570abd1fdff2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAF8 9984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.