Malicious PDF — malware analysis report

Static analysis result for SHA-256 20e805b686307a06…

MALICIOUS

PDF

74.1 KB Created: 2021-03-22 03:21:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acad5a9d82b7ec26e6bb70c59cffc5ad SHA-1: 14fbe5ee12ee6d3fe0dbf9f2da40569a8dc4727c SHA-256: 20e805b686307a06d25fa31e3385a023d5c0a03972c54945d8448473fe99ea19
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a significant number of external links, suggesting a link farm or SEO manipulation tactic. One of the embedded URLs, https://ponafet.ru/123?utm_term=cake+photos+hd+image, is flagged as suspicious and likely serves as a lure or distribution point for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=cake+photos+hd+image
    • https://gunobome.weebly.com/uploads/1/3/1/3/131398345/zujugisu-xosovire-guruvorotud-masabedoxipe.pdf
    • https://guvefivilemu.weebly.com/uploads/1/3/4/3/134397682/3724840.pdf
    • https://cdn-cms.f-static.net/uploads/4369781/normal_5fd84c00d8e4b.pdf
    • https://nutovavodus.weebly.com/uploads/1/3/4/0/134012609/ronob.pdf
    • https://pufukowog.weebly.com/uploads/1/3/4/5/134583281/lujuvawojixapiwotab.pdf
    • https://static.s123-cdn-static.com/uploads/4417988/normal_5ff7b6f54f014.pdf
    • https://cdn-cms.f-static.net/uploads/4405895/normal_602908630c6ea.pdf
    • https://static.s123-cdn-static.com/uploads/4446034/normal_5ffe27508ed07.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/691e6981-8796-4d59-ab3f-2d3980176a31/what_happens_if_we_become_immortal.pdf
    • https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_568e06f9172c4c5a977c7869a95daef9.pdf?index=true
    • https://45ae50e1-98a8-4501-9ad6-fc0df438eb43.filesusr.com/ugd/b16523_3a2454121d614d649f812a71fe84c15b.pdf?index=true
    • https://c480cc3d-c044-45b7-a7fa-747782367dcd.filesusr.com/ugd/a26f59_fd4a956071214ba480465fcd09090b89.pdf?index=true
    • https://d9226533-59f4-4737-ae77-cfa9cdee5378.filesusr.com/ugd/d7c203_27403814e05e4ebface2763acd08b306.pdf?index=true
    • https://80d0ab3e-5d82-4547-8f02-ffe19150e389.filesusr.com/ugd/776b9b_684832b5d8b14f2c8843957638128616.pdf?index=true
    • https://9b08d158-0e0f-4203-9b31-e1272d977b1c.filesusr.com/ugd/086daf_6c4762540dca4e4eb04af676a1a37a91.pdf?index=true
    • https://uploads.strikinglycdn.com/files/351ab6e5-0dbe-40bb-b0e8-232f76e07cba/30672375607.pdf
    • https://ddc7b23b-31e5-4b5c-aaad-d3b7cef26861.filesusr.com/ugd/e506b8_e1c2c53193ec46f1b70d8e5f2136e508.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fdd92d70-96b9-4d03-acd2-a4f46be3c70b/kung_fury_movies_like.pdf
    • https://0306adf0-382e-42f1-903d-71c3961c97f1.filesusr.com/ugd/7ff653_6ece50bdf9db4c4690cfbb314fb0097c.pdf?index=true
    • https://cd489911-dc6d-4439-b408-84622343fb93.filesusr.com/ugd/d8e941_171ce77419df49ddbc65dd26966f444d.pdf?index=true
    • https://a815f367-2516-4b88-9496-eed07d5c1eb7.filesusr.com/ugd/665c20_da95ff5919634a4d8ed7acd65dd0b9a1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e41c.bin
4674310d749887b786379870c89be48179661d090ee7d5fafbe7348b9f776886		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE41C 5212 bytes
font_01_sfnt_off0000f5b3.bin
863a9af5ffa10324f21141b323b450cc92012891c9521e1507a86fab6d63abb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5B3 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.