Malicious PDF — malware analysis report

Static analysis result for SHA-256 25416472785f2269…

MALICIOUS

PDF

87.9 KB Created: 2021-06-03 23:25:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b2ce1dd2b551ab26d90a3146bb323fc SHA-1: af2f5a1303fa0a3182666af9f3d86c4574eab3ac SHA-256: 25416472785f226920cf621f4457376fada80ed364d915cf3c822110a568f571
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The file contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. One of the embedded URIs, 'https://ponafet.ru/123?utm_term=android+studio+auto+import', is likely part of this distribution network.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=android+studio+auto+import
    • https://gokatejasefe.weebly.com/uploads/1/3/4/6/134650338/jononibotebep.pdf
    • https://guxikotazo.weebly.com/uploads/1/3/4/7/134704652/tajunusedetulojeliwi.pdf
    • https://cdn-cms.f-static.net/uploads/4374951/normal_600ce3c00b6ce.pdf
    • https://wajufavex.weebly.com/uploads/1/3/4/5/134587400/sisofetatexepu_gokifuruzadeje_junukel.pdf
    • https://moxitamun.weebly.com/uploads/1/3/4/0/134040854/484f7956.pdf
    • https://kurokeduzuw.weebly.com/uploads/1/3/4/6/134693898/1741773.pdf
    • https://kobizixudowizeb.weebly.com/uploads/1/3/4/4/134402546/jolaxamat.pdf
    • https://tagojakiwuki.weebly.com/uploads/1/3/4/4/134444274/doxewatizalomazasa.pdf
    • https://static.s123-cdn-static.com/uploads/4427795/normal_5ffcff66c425d.pdf
    • https://pasuwuzo.weebly.com/uploads/1/3/1/4/131438486/467464.pdf
    • https://muzunamarufo.weebly.com/uploads/1/3/4/4/134463020/punir.pdf
    • https://cdn-cms.f-static.net/uploads/4369905/normal_60168c65ec936.pdf
    • https://cdn-cms.f-static.net/uploads/4445104/normal_5fe70d0212284.pdf
    • https://cdn-cms.f-static.net/uploads/4378605/normal_6042200f1712b.pdf
    • https://wiwujakibites.weebly.com/uploads/1/3/0/7/130740442/3193295.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1030c0b5-240c-408a-ae49-78a18a3fd389/when_salt_is_added_to_water_what_happens_to_the_freezing_point.pdf
    • http://xesimisejek.pbworks.com/w/file/fetch/144502761/how_get_free_airtime_on_mtn.pdf
    • https://uploads.strikinglycdn.com/files/455d8473-e7de-47f3-ac9c-186cd6eff715/wowawerosujaximadekexewu.pdf
    • https://uploads.strikinglycdn.com/files/f4dd2ca6-0031-43d5-bc60-26f1628bbff0/4436019805.pdf
    • http://maxasol.pbworks.com/f/physical_science_module_3_grade_12_answer_key.pdf
    • http://vifogajo.pbworks.com/f/foundations_of_psychiatric_mental_health_nursing_study_guide.pdf
    • https://uploads.strikinglycdn.com/files/71028245-f8d3-4c67-ac5e-7894048ba5d0/que_es_la_literatura_segun_los_autores.pdf
    • https://uploads.strikinglycdn.com/files/b9f5d8f7-e323-4077-a3b6-6130889f171f/manuale_di_teoria_e_solfeggio.pdf
    • http://damopijos.pbworks.com/w/file/fetch/144499506/download_sony_vegas_pro_11_32_bit_full_crack_gigapurbalingga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011afd.bin
d271697a19ef2938ebc6a64b2317ab543602213fb96e44f20f48ce9c34644bc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AFD 5064 bytes
font_01_sfnt_off00012c1c.bin
aeeb8b53675c60c73e9f276b713c33f487e5a905fbdbdeb689939e3d6397f29e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C1C 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.