Malicious PDF — malware analysis report

Static analysis result for SHA-256 216009dc341efc42…

MALICIOUS

PDF

76.8 KB Created: 2021-05-30 04:29:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 371e1669993adb2f0a855ecd8c035386 SHA-1: 2523cb1b94f7251ad606bbf95bfc028cc320893d SHA-256: 216009dc341efc42fb13290bdd7054ce6ca7fa6318cd4761e393ab4b486b7a5c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a link farm, with the primary URL being 'https://ponafet.ru/strik?utm_term=poem+analysis+template+pdf'. This suggests the document's purpose is to direct users to a network of websites, likely for SEO manipulation or to host malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=poem+analysis+template+pdf
    • https://cdn-cms.f-static.net/uploads/4443576/normal_5fd87a1999971.pdf
    • https://static.s123-cdn-static.com/uploads/4366377/normal_5fe2a9192845d.pdf
    • https://kixovojowabib.weebly.com/uploads/1/3/5/9/135966002/libopotevodose.pdf
    • https://boxavukexuzar.weebly.com/uploads/1/3/0/7/130775797/7484491.pdf
    • https://cdn-cms.f-static.net/uploads/4476133/normal_6048c60f533d0.pdf
    • https://fejamelaluboj.weebly.com/uploads/1/3/4/3/134311679/dobozo_simal_fedolonojewetiz.pdf
    • https://xidatofiguwonu.weebly.com/uploads/1/3/5/3/135391030/pizup.pdf
    • https://mepagalupotope.weebly.com/uploads/1/3/4/2/134265457/7086900.pdf
    • https://marodesama.weebly.com/uploads/1/3/5/3/135349202/vulegalediwow_jepitege_nexokopemulisaj.pdf
    • https://sibanixo.weebly.com/uploads/1/3/1/3/131380297/bigaziro_mobasuma.pdf
    • https://nabofirolem.weebly.com/uploads/1/3/4/6/134632364/95742ba.pdf
    • https://fogodaxo.weebly.com/uploads/1/3/4/6/134606017/8847814.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/91c3d9f2-5edc-434a-9a50-d062ba5bde6e/sakuwuvuritagariz.pdf
    • https://uploads.strikinglycdn.com/files/a798cc06-3d1d-4d8e-a3dd-d79539d41f29/anatomy_and_physiology_coloring_workbook_ch_6.pdf
    • https://uploads.strikinglycdn.com/files/6b532433-4887-4e9c-b7c9-7e6aa0e8020a/raypak_rp2100_digital_control_board.pdf
    • https://uploads.strikinglycdn.com/files/ae11c3ce-f897-4319-953b-906b339cfdba/verizon_mifi_6620l_jetpack_4g_lte_mobile_hotspot_verizon_wireless.pdf
    • https://uploads.strikinglycdn.com/files/8a6139ae-526e-42f7-9a5f-58314339d82e/the_hero_rhonda_byrne.pdf
    • https://uploads.strikinglycdn.com/files/8200f980-33eb-4d7b-956a-897f3d418343/54868216016.pdf
    • https://uploads.strikinglycdn.com/files/25afd7f1-33cc-4360-9b94-bee5b74ef2f9/67703482118.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efae.bin
9e6d13dfd7f9dc0dc8cf7f1f47e4c61ac5787dc14720e6abcabef79f17b534fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFAE 5196 bytes
font_01_sfnt_off0001015b.bin
05cc00355260e87f31381393eaa565e749b013ca9f53d345419d05795659db54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1015B 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.