Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e5074c419d782b0…

MALICIOUS

PDF

77.8 KB Created: 2021-03-25 16:08:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f98f5afaf6422a5138feb45b7a47d0db SHA-1: 62e618f902a118e4a01461c45ae54a202df32f33 SHA-256: 1e5074c419d782b05d550e4e34fd26a1771894135dcc50ffc62f811a57bb2f51
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by ClamAV and an ML classifier, with critical heuristics indicating it contains a large number of external links, characteristic of a link farm or phishing lure. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it is designed to redirect users to potentially malicious websites, likely for phishing or to download further payloads. The presence of numerous external links, including one to 'ponafet.ru', strongly indicates a malicious intent to drive traffic to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=breakfast+nook+woodworking+plans
    • https://kimuremosov.weebly.com/uploads/1/3/4/7/134732255/ribovupegele_zuvovidelejedi_kuxiso_xosovosesuvifor.pdf
    • http://fsbsiod.com/gipezonuwixizakisogu16dyc.pdf
    • https://cdn-cms.f-static.net/uploads/4367912/normal_604f6b50c17cb.pdf
    • https://cdn-cms.f-static.net/uploads/4470967/normal_605625c851ed5.pdf
    • http://hookup681.site/710404132618lwmd.pdf
    • https://cdn-cms.f-static.net/uploads/4469135/normal_605ad2807817d.pdf
    • http://pixell.store/774579264588sxwu.pdf
    • https://cdn-cms.f-static.net/uploads/4409819/normal_603eabc9574dc.pdf
    • https://baputopozim.weebly.com/uploads/1/3/5/3/135336161/sudexuju.pdf
    • http://susurrus.space/network_systems_administrator_job_descriptionkuoqw.pdf
    • http://sandwichhq.club/vobomirituluj8hew.pdf
    • https://zokelafeg.weebly.com/uploads/1/3/4/8/134889419/fugegogufigogosezijo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mafavuzenoliki/big_hero_6_full_movie_tamilrockers.pdf
    • https://s3.amazonaws.com/liwara/56702595367.pdf
    • https://s3.amazonaws.com/wewiro/copd_treatment_guideline_2019.pdf
    • https://s3.amazonaws.com/bejikefowu/chamma_chamma_video_song_hd.pdf
    • https://s3.amazonaws.com/vidadaviwal/35691985517.pdf
    • https://s3.amazonaws.com/negonanopix/22007454775.pdf
    • https://s3.amazonaws.com/wesezuzuvalirik/business_contract_termination_email_template.pdf
    • https://s3.amazonaws.com/bidivo/51347880346.pdf
    • https://s3.amazonaws.com/sowewazulejewi/my_genes_made_me_do_it.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f221.bin
c2b5d69dc1316a53b23de6eed4096f2b865fe099915f715f8b0e783360febdab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF221 5416 bytes
font_01_sfnt_off000104bb.bin
da83942c35c2c53ad59e71ec4bcda11c158e59386cae74a88874af8ffb8aae7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104BB 10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.