Malicious PDF — malware analysis report

Static analysis result for SHA-256 1106e449fe15a0cb…

MALICIOUS

PDF

78.3 KB Created: 2021-03-21 08:40:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c883892cd73ec7c7a4df017658f5366 SHA-1: 6e7a0ef17822a5560769f12740d33b30a9c82557 SHA-256: 1106e449fe15a0cb54675abec91b55962ecf3217da62ce615f8f66b87a8587d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to PDF files hosted on various platforms, suggesting a link farm or SEO spam tactic. One prominent URL, 'https://ponafet.ru/123?utm_term=vildagliptin+metformin+50%252F+1000', appears to be part of a phishing or scam attempt related to pharmaceutical products. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=vildagliptin+metformin+50%252F+1000
    • https://bavopasivivewid.weebly.com/uploads/1/3/0/7/130738836/0199329.pdf
    • https://static.s123-cdn-static.com/uploads/4478378/normal_5ffb11da2576c.pdf
    • https://gimepokik.weebly.com/uploads/1/3/1/6/131636980/9727986.pdf
    • https://cdn-cms.f-static.net/uploads/4446399/normal_6013f4e53eadf.pdf
    • https://letotanuvimipe.weebly.com/uploads/1/3/4/5/134598603/4695374.pdf
    • https://static.s123-cdn-static.com/uploads/4424662/normal_5ff69d25dc3db.pdf
    • https://cdn-cms.f-static.net/uploads/4423714/normal_602e987692df2.pdf
    • https://ripilebaxozeduv.weebly.com/uploads/1/3/4/2/134266308/xejop.pdf
    • https://cdn-cms.f-static.net/uploads/4480142/normal_6020988118b42.pdf
    • https://pixamowogiru.weebly.com/uploads/1/3/4/5/134590731/7ca313cdbf22.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1420d83a-a06c-45e8-849e-279d827e48e4/how_many_days_is_priority_mail_international.pdf
    • https://uploads.strikinglycdn.com/files/e1b4b7a6-f2ee-4ab7-b0e9-31b6f9cd5028/68750070367.pdf
    • https://57933e30-1e86-4cbe-ad2b-777cb72f9932.filesusr.com/ugd/235f1a_341377fa80b24bac8c7e3bbf67bc6def.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5ae68e28-1672-46e8-aef1-2c1ac6d30c36/how_to_rap_better_flow.pdf
    • https://uploads.strikinglycdn.com/files/f46a33d4-69d8-4f09-a54e-1ba830e96edf/zalegunefufunuxudotumasaz.pdf
    • https://ee60c613-3dd1-430d-b711-08e3dcbf0273.filesusr.com/ugd/19ce5d_8f958ce5062e4b60b4240063055e64fd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d1165b07-3d7e-4843-a506-c6473dc58077/how_to_start_playing_table_tennis.pdf
    • https://uploads.strikinglycdn.com/files/1190055d-9741-46e2-9566-1566c41196d1/dsc_1616_quick_reference_guide.pdf
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_0d0d8ae5acc745a98fc108633baa8e1b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/26d1fd30-4e1d-41e1-8fcb-1d2fba8476af/guwaji.pdf
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_077dbb33ef95415aa241bb57994bddf9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3f8fa529-be06-4f02-b5b2-967559ebd7b9/48302466039.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f46f.bin
7206cc71d3e409b02c87227f565c10060b6e470bbee3221763a2b1e1e689e939		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF46F 5504 bytes
font_01_sfnt_off0001072c.bin
ad28e77f2267fb59629d586493099ce913bd45c49bd123d24efd41c11fb40011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1072C 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.