Malicious PDF — malware analysis report

Static analysis result for SHA-256 26c150df8df67c36…

MALICIOUS

PDF

89.5 KB Created: 2021-05-31 01:03:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: bd33c3a283bbb9cffae2097205aaafbc SHA-1: c3afabad7b1007161bf46921e2e6ed2aa1d7ef1c SHA-256: 26c150df8df67c363427b18b377e5553a57a90c2429150d9fc46ac8130955dd4
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a high-severity heuristic indicating it is a phishing lure that redirects to an external URL. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded URL, https://ponafet.ru/strik?utm_term=what+should+my+bass+eq+be+set+at, is identified as the primary indicator of compromise and likely leads to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=what+should+my+bass+eq+be+set+at PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f571c5a1-4f58-4af8-b2f4-af61a45a07d2/what_is_the_power_dissipated_in_an_ac_circuit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc6b9aed-9480-4ff1-a150-cf837916d5a7/carl_sagan_quotes_universe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a89ef564-a796-4f20-bcef-90586a700725/european_stock_market_open_time_ist.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b4dd84c-f9b5-402c-a221-77f61485eca6/kalesubuzawob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3bb14d97-d242-4016-a4a5-9be8bc0a4091/how_do_i_download_high_resolution_images_from_google.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f847ce4-08bf-45f7-81b2-ed97a209e871/gopro_hero_4_black_for_sale_uk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fd1cb4f3-0ffd-4fe2-971d-e03d582e3a43/can_you_eat_meat_on_an_alkaline_diet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10c4d41c-c7d1-4190-a6a7-6bbfc36c9690/53997171829.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3603a01b-3497-4260-8e22-b68b92125e82/stats_modeling_the_world_ap_edition_4e.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e9b96a2-80ce-4406-a874-3c3005307783/reading_comprehension_test_for_grade_5.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/393529b8-6582-4a12-bfd1-bf9dc870c939/most_popular_books_to_read_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ffdd959-ce87-41f9-92c2-d6fee136acb8/58896881025.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad689549-22ce-4292-820e-2db7fc81dfbf/harry_potter_and_the_goblet_of_fire_full_version_game_download_for_pc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a85fd299-a105-44d1-862e-98776345441a/43966439588.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f997b35-895e-477a-86e8-c83f33a93e2f/1419554847.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4af65a5a-c846-47da-b225-a2774463028a/how_to_drain_oil_from_yard_machine_lawn_mower.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08f23981-7880-4b2b-905f-6c420e8cd141/dekulapifujekiguk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2f2f2c0-c221-4d71-af8d-75cfe990f21d/what_is_marxist_criticism_in_simple_terms.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87dd699d-af34-4a6e-b4f7-7ba99e139b02/dewalt_20v_max_lithium-ion_brushless_compact_drill_driver.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F8F 5348 bytes
SHA-256: 549e60cdfde3947a79996a76c9b4945e67dd135427b9e9312a6095026d1d6556
font_01_sfnt_off000131a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x131A1 11728 bytes
SHA-256: ac7ae1ab1c6234eb73a3032c85ec2245c3e2c26223e9711dc49758033275ac96