Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c5512062596a195…

MALICIOUS

PDF

75.4 KB Created: 2021-03-29 14:07:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62da70090226a25c9136a6783bf12adb SHA-1: d1b59334180e4d79e574055e555cc9e0f3c90890 SHA-256: 3c5512062596a1952f66c5aadb401c57628896cec0d68671ba2d6517de4350ca
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized and point to potentially malicious content, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. The embedded URLs, such as https://ponafet.ru/award?keyword=aparato+reproductor+femenino+vaca+pdf, are suspicious and likely part of the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=aparato+reproductor+femenino+vaca+pdf
    • https://nubizuvilokimid.weebly.com/uploads/1/3/5/4/135401099/pigewadevologivipel.pdf
    • https://sokuvefababadax.weebly.com/uploads/1/3/1/8/131856373/bab54c03d36.pdf
    • https://xasozabeze.weebly.com/uploads/1/3/4/5/134501754/bozarepog.pdf
    • http://vzale.ru/rokefuwujukigedosuflcqx2.pdf
    • http://prognoz-football.club/fejubabezobwm7d.pdf
    • https://japiravonasuv.weebly.com/uploads/1/3/4/6/134644749/gibokux_xeguzipozi.pdf
    • https://nutovavodus.weebly.com/uploads/1/3/4/0/134012609/ef8920c426a376.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b0fae145-123d-4803-b5b9-bd09d01f9906/manual_trena_bosch_glm_40.pdf
    • https://83f018a0-8e49-44f0-b57e-805e464a5f06.filesusr.com/ugd/10a4aa_2f89a85e6151419291ee6c3985a67c4e.pdf?index=true
    • https://a581e706-3bf6-41fb-8978-ad4d4077590d.filesusr.com/ugd/afbe6b_6e0084815e0f472bbcb654d69064780f.pdf?index=true
    • https://6c49ff76-e13b-46da-8354-2e633d56f736.filesusr.com/ugd/211c2d_000f901184db4ad192d331770c0e21b0.pdf?index=true
    • https://f72e0e13-a873-49c5-9cb5-3c2848b8c5b2.filesusr.com/ugd/f8ba4b_818c94860860411a874198d8cfa73912.pdf?index=true
    • https://64e18f06-8a0e-4dc1-8427-9dd81b4bff36.filesusr.com/ugd/baa514_9c28c60f934f4e189942e124ae8e5fc4.pdf?index=true
    • https://69f1164a-dcd3-4310-9fb4-3b67f03bdbb0.filesusr.com/ugd/9d7282_581dc85aa2624ca49383994c3e5dde93.pdf?index=true
    • https://uploads.strikinglycdn.com/files/41f5a7af-d239-4ba9-8f6d-eea327f06793/bible_study_guide_2019.pdf
    • https://uploads.strikinglycdn.com/files/3a6d0cfc-bc1a-4fb5-a34b-295a8e6d1410/kifowakewoviwenuda.pdf
    • https://uploads.strikinglycdn.com/files/84f04e5e-cd88-46b3-81d1-f32145cdaf81/social_contract_theory_hobbes.pdf
    • https://uploads.strikinglycdn.com/files/994bfb4b-3b2d-4915-8d9a-34e7a91272c4/15994718831.pdf
    • https://uploads.strikinglycdn.com/files/1addd5f6-cb72-4949-a003-6a10240021c9/cuisinart_immersion_blender_wont_turn_on.pdf
    • https://7be326e9-a1fd-4761-a84c-83c904220737.filesusr.com/ugd/37e945_0c5410a6cffa42328bbec75d67129b8f.pdf?index=true
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_39e3d27df50d44f5bd0888a8956a5eb7.pdf?index=true
    • https://507d1b22-ea03-4061-a262-f79425337ca2.filesusr.com/ugd/a374b9_caff5a125d9d4d1eac7a5546b4c011c8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/17835ee3-095e-4d1a-b842-9893e573f445/sasuvomufawelonenabajil.pdf
    • https://uploads.strikinglycdn.com/files/52d2c95d-7271-4981-842c-9cbbbb39f854/giderumumoxusevapono.pdf
    • https://d115d978-d96a-40c8-9764-5d959708fc35.filesusr.com/ugd/436160_32802a9ba36a48898ee99bd9e7a599d3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e935.bin
8409e7da20f9d67320878b2006d9f59409a3f47707c433a976ad53701682eed5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE935 5140 bytes
font_01_sfnt_off0000faae.bin
825c5d1159059313e12decf09707ae42fcd27cf3e76e0ba8437c45901a6e5fc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAAE 10936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.