Malicious PDF — malware analysis report

Static analysis result for SHA-256 29e1901b4d8fb9be…

MALICIOUS

PDF

73.8 KB Created: 2021-03-24 06:05:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2da76add942ef1d6122c4fa695dc6697 SHA-1: 7cc612cbc3c6a9ad4705136efcca083319fca84f SHA-256: 29e1901b4d8fb9bee5dedb2a479c954cbc7f24387c0bc59954537ba14f03621c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to 'ponafet.ru'. This URL is associated with a heuristic firing indicating a link farm, suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan. While no scripts were directly extracted, the presence of embedded URLs and the link farm heuristic indicate a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=singer+401+manual+espa%25C3%25B1ol
    • https://cdn.sqhk.co/lekuruzomef/ae6hbRW/christmas_gift_guide_2019_uk.pdf
    • http://help-lnstagram-verifycopyrgiht.com/peter_thiel_zero_to_one_bookzsnts.pdf
    • https://cdn.sqhk.co/kekelivig/hehi6NU/iphone_browser_bottom_bar_height.pdf
    • http://navaram.online/iso_9001_verso_2015_portugues4gcbn.pdf
    • https://cdn.sqhk.co/roratumopiv/ig6geie/lyrica_dosage_strengths.pdf
    • http://55571.ru/2110458177elhjc.pdf
    • http://websporizle4.com/zixikamidomezeferowofogux1jm4w.pdf
    • https://cdn.sqhk.co/liripudeb/gjfjeT6/color_fill_online_game.pdf
    • http://qwertyujg.xyz/8865913100359wgy.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cf1e1249-9fc4-4f27-9bcf-a1d4238ccc36/tepudal.pdf
    • https://uploads.strikinglycdn.com/files/d8ce7811-74ab-4039-ba00-cfc46b0bce6a/52873278358.pdf
    • https://uploads.strikinglycdn.com/files/5694b3ba-faab-4da3-af4e-e903f07c0e04/summary_of_the_house_of_spirits_by_isabel_allende.pdf
    • https://df1d5e35-4e67-4e57-ba41-6141a32c4ecb.filesusr.com/ugd/c54278_8401464925634e4bae57134024eed986.pdf?index=true
    • https://uploads.strikinglycdn.com/files/31c5b372-e0f5-4fd3-b346-d37964b5b050/24884146469.pdf
    • https://460eb545-5389-4aa9-9e78-d1074a8bca0c.filesusr.com/ugd/21a131_bf93ebdf05cb436488d3f5c05696b157.pdf?index=true
    • https://30c74dc1-c3f2-4e71-8253-1ec84f3b94e1.filesusr.com/ugd/b8c6fa_ee3bf6e6368f4d9bac036e034418bbf0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/85f4f15c-c514-4faa-b2e5-5f0bc147249f/which_version_of_the_bible_is_most_original.pdf
    • https://uploads.strikinglycdn.com/files/9048053e-23aa-44b7-bca5-dba3fe1686e0/things_about_police_brutality.pdf
    • https://uploads.strikinglycdn.com/files/207f9b92-d939-43ee-8107-2ac75b5f5014/27321427190.pdf
    • https://uploads.strikinglycdn.com/files/886a4024-6907-4a46-abe1-4c11f685bc88/mekawututamolesowexo.pdf
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_59271b4bc2cd457f89884568741f2532.pdf?index=true
    • https://s3.amazonaws.com/dagasopones/freelancer_invoice_template_word.pdf
    • https://s3.amazonaws.com/xonobijikivo/sheet_music_basin_street_blues.pdf
    • https://uploads.strikinglycdn.com/files/e12ff157-f4ea-4d1e-84da-69218cf4e1b8/87413714437.pdf
    • https://uploads.strikinglycdn.com/files/e14d2347-a0a7-4457-97c8-4d63d0209dd7/cuisinart_toaster_oven_tray_replacement_tob-40.pdf
    • https://b7b9a0d4-d71d-433a-9dbc-8293b1c729aa.filesusr.com/ugd/979434_02ce7f952aa740fc8491343aaede3f7e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd37.bin
4bcc827257560d091178d5eb6c3352dffa8f1a778c24349dab1e2c5a8435d884		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD37 5736 bytes
font_01_sfnt_off0000f072.bin
b99c43e800709baa49105a499e9e53ee861dca3f8777166f9bdfe2ad017e8fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF072 12408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.