Malicious PDF — malware analysis report

Static analysis result for SHA-256 2149558ac899a74f…

MALICIOUS

PDF

80.7 KB Created: 2021-04-02 21:43:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72e3405216c5524088fd9ddc09ce8bc7 SHA-1: 7c00b557b233977c5ce2b100cf5bdfef51e489fa SHA-256: 2149558ac899a74ff9348d28eb15328f52bcebb7e37c71daf845758b1c2e05dd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting a link farm or redirection tactic. The primary suspicious URL identified is https://ponafet.ru/award?keyword=causes+of+food+contamination+pdf, which is likely part of a phishing or SEO manipulation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=causes+of+food+contamination+pdf
    • https://taresazafo.weebly.com/uploads/1/3/5/3/135335901/5f048aa57d57.pdf
    • https://levarimabogi.weebly.com/uploads/1/3/5/3/135328943/mafedefisi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_fd30ceaef2b142f9ae5be1507130aa63.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a4595f71-10cb-4e05-97ed-9b47ee1ed706/57762638234.pdf
    • https://uploads.strikinglycdn.com/files/afcfddcc-da84-43ba-8439-88f4766650e7/homeready_qualifying_income_or_household_income.pdf
    • https://uploads.strikinglycdn.com/files/db8de77f-f774-4801-b811-acfc6765ca36/50944907310.pdf
    • https://5a11eff3-0c7a-45dd-bb89-060d4d4d2060.filesusr.com/ugd/72216b_7804ad6abe424ad8b49cc8c8d0c5e65c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83f0b673-49c3-4bcc-9b02-b31ed596c612/is_a_cool_mist_humidifier_good_for_allergies.pdf
    • https://uploads.strikinglycdn.com/files/f0bb7bbe-924d-4062-875a-1507ec7ca2d7/lizogelijexam.pdf
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_9f660a71b93c4c46b3d53fec487449ea.pdf?index=true
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_9c75640b6aba479f91f0b4a4be92273e.pdf?index=true
    • https://s3.amazonaws.com/vedexajawo/nudadetulodanozometikel.pdf
    • https://5090cb7a-f7dd-45b7-a4a3-960150b62b23.filesusr.com/ugd/dfd4af_992500538e6a478b92106f371b74d7c1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3718a141-ef4f-461d-9333-48dcd2754167/bokigikumafibarasinul.pdf
    • https://e6f9d1db-9bad-45ba-a188-0e8e378e8087.filesusr.com/ugd/99b222_a9403c048ffa4a68b197c05bf91920ec.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fb56f730-6d08-4f98-9743-b84523628a82/is_business_analytics_a_hard_degree.pdf
    • https://dab7fb03-f2af-4a8e-9cb9-31de623bedb3.filesusr.com/ugd/58b596_a921c7e77f51435388c940310a810e6a.pdf?index=true
    • https://29aa9d28-cc9d-45fc-8d86-3718b5881c84.filesusr.com/ugd/74c34a_dc42d95cdc2047ee8a8e78576761ffeb.pdf?index=true
    • https://s3.amazonaws.com/vuxirefare/porter_cable_pancake_compressor_regulator_repair.pdf
    • https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_15ce31ac159742c3a932efd313271740.pdf?index=true
    • https://uploads.strikinglycdn.com/files/39bc7139-626c-4a84-812b-d864d2b0d90e/epson_v550_scanner.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb6f.bin
5cddaa86d3d5a4a95eed38e3ab8dd6c3a4a1df56714c006dbdd2b6e922aa26e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB6F 5080 bytes
font_01_sfnt_off00010ca9.bin
e8b6d4e073b82a68c8d3c03dc81ebe718de2644634d842e1c546a40cf69467fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA9 11560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.