Malicious PDF — malware analysis report

Static analysis result for SHA-256 3add050a4f2cbb5a…

MALICIOUS

PDF

81.6 KB Created: 2021-05-07 15:47:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb30476229bf5767532055043a7e1fb8 SHA-1: deb1487ff667c685c2f96131b89c8e0e1bddfe6d SHA-256: 3add050a4f2cbb5a586f4c6bd9236925fae3a04b13997693d58263ed7213feb8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, with one pointing to a suspicious domain ('ponafet.ru') and others to potentially benign but numerous PDF files, suggesting a link farm designed to redirect users. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly indicate an attempt to direct users to malicious or deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+do+you+cook+a+farmland+hickory+smoked+ham
    • https://xozugovapotup.weebly.com/uploads/1/3/1/1/131164024/powapefarewufe.pdf
    • http://drive4mclaneaustell.com/yandex_money_apple_payq1ao1.pdf
    • https://cdn-cms.f-static.net/uploads/4392853/normal_602e1a7fd9bbc.pdf
    • http://enots.space/na_meeting_guide_app08qre.pdf
    • https://sobanuwutotamiw.weebly.com/uploads/1/3/4/1/134131644/5273636.pdf
    • http://shop-you.xyz/bootable_pendrive_windows_76a5np.pdf
    • http://bitjoms.xyz/kezodijeramuwewstzks.pdf
    • http://bt-management.website/verifone_mx915_factory_resetb4tyg.pdf
    • https://tatelemu.weebly.com/uploads/1/3/1/1/131164239/1167773.pdf
    • https://vesexifog.weebly.com/uploads/1/3/4/4/134491049/wafogin.pdf
    • https://static.s123-cdn-static.com/uploads/4481162/normal_6008436f314d6.pdf
    • https://static.s123-cdn-static.com/uploads/4392220/normal_5fef8bebc7a7d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/effc5c6b-92b4-4c7b-ab68-2a6e10c52522/xewababuwufunodafabo.pdf
    • https://uploads.strikinglycdn.com/files/ead82697-4cc3-42cf-b56c-5a80e8c93730/41889352139.pdf
    • https://058da8ce-bb30-4b8c-81eb-8903018cac65.filesusr.com/ugd/ab745b_0431bb4690ec46088de3d6d9e254bbea.pdf?index=true
    • https://uploads.strikinglycdn.com/files/116221d0-fc61-470c-b50c-0d5a3b19319d/5620703165.pdf
    • https://s3.amazonaws.com/tokudapele/zakatipigudixul.pdf
    • https://ae8c1479-5121-4009-b0ed-8259dbb1205b.filesusr.com/ugd/0aff45_5558049cb93e4d8596a8b80eff8c4071.pdf?index=true
    • https://s3.amazonaws.com/gajabedafot/pesaregumafe.pdf
    • https://s3.amazonaws.com/nefomojuwet/company_core_values_template.pdf
    • https://959e49da-b405-4961-97d4-5c1bb2e9a628.filesusr.com/ugd/ab0441_0a91a7b5e719475e960e92ad8f067985.pdf?index=true
    • https://2386e270-bd20-42c1-b3e5-1ba7eaa1d68d.filesusr.com/ugd/b4f0c6_2ea78ae567254a36bb9d94dd9f42b792.pdf?index=true
    • https://a80c0318-1640-4d50-a016-df037fc402b9.filesusr.com/ugd/895bef_fbe971ae10c04d67b35e5bcafe1039e9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000feee.bin
ed6eeec343124a1fe9f857535c8e4a3458514a7c4098c84314363a3497a74ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEEE 5480 bytes
font_01_sfnt_off00011183.bin
0dc0109a8b97afcd0279dd8780b46408efa8100b65632149e1240a3b0bed5cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11183 11512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.