Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b6728a022ce6264…

MALICIOUS

PDF

80.1 KB Created: 2021-03-22 03:28:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d3eca7028efdcf40781bbe09aec9b856 SHA-1: d7bee749c53dd25fc1b00d633930dd03d341a1e5 SHA-256: 4b6728a022ce62644d584935f6de366b357daaeaf1cc546c8a86fc22adc7f597
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are obfuscated or lead to potentially malicious content, as indicated by the PDF_SEO_LINK_FARM and SE_LOLBIN_RUN_COMMAND heuristics. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. The primary malicious URL identified is https://ponafet.ru/strik.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=why+is+my+totaline+thermostat+not+working
    • https://cdn.sqhk.co/patemugimej/idjdigK/school_of_dragons_gameplay_2019.pdf
    • https://cdn.sqhk.co/wugoxoxowex/eYPhijb/somefesefisepufak.pdf
    • https://cdn.sqhk.co/serodozire/hiQjdic/super_placar_ao_vivo_2019.pdf
    • http://pusewuvi.medianewsonline.com/ribaronazolimeteviw.pdf
    • https://static.s123-cdn-static.com/uploads/4460966/normal_5fed76264730f.pdf
    • https://cdn.sqhk.co/figakeves/iUqhfhd/island_fort_for_sale_usa.pdf
    • https://cdn.sqhk.co/xawefigi/dXaiaCk/golden_star_theaters_new_castle_pa.pdf
    • https://static.s123-cdn-static.com/uploads/4496826/normal_6004e5b5cdddd.pdf
    • http://tamigome.scienceontheweb.net/interview_questions_for_cabin_crew.pdf
    • https://cdn.sqhk.co/figakeves/iUqhfhd/island_fort_fo
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8aefc570-8454-48c3-bb63-d4d1067b7ce0.filesusr.com/ugd/5c9621_28b315d0a0aa4cfe889933cb06517297.pdf?index=true
    • https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_c016aa7758c84c79933263699a6f90ea.pdf?index=true
    • http://woxikajir.myartsonline.com/pdf_file_resizer_app.pdf
    • https://d0fd53c2-66a5-49f7-a942-a4bfc50892a3.filesusr.com/ugd/11baf9_298c197c4d8f4cd4b5c2b48f51e2dc80.pdf?index=true
    • https://85d2c5a2-fc31-4f76-86b4-4ebe2abe2bf4.filesusr.com/ugd/a8cc01_3939036d2f194307a551cd3db693cc4a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dffeb460-9262-41d1-a26a-2ac3585096a5/ryobi_miter_saw_dust_bag_home_depot.pdf
    • https://uploads.strikinglycdn.com/files/540ff628-5811-4265-9063-b0ebbd92b99b/how_to_format_windows_7_using_cmd.pdf
    • https://fd0ef26f-7b8f-4c91-b3b2-19f7ec93487a.filesusr.com/ugd/4174bf_739f947cf3984e9d8c2f9e455c5eefe1.pdf?index=true
    • https://b84c3727-5d5a-4c5d-9d5d-21cac87b3a69.filesusr.com/ugd/fdd6c2_d0938b9ee1764411992eccfffb4fa6e3.pdf?index=true
    • https://ef9935f7-a918-44a1-999f-f1d50a45e4a7.filesusr.com/ugd/b463f2_16bf2eab20814d9e9f13a245fe3d304c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6ab4ae27-302b-4acd-96be-14f3426135ff/1734-aent_c_eds_download.pdf
    • https://uploads.strikinglycdn.com/files/1f16d726-0cbf-461b-9a61-3983f1e2b5df/how_do_you_program_an_xfinity_remote_to_a_samsung_tv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb22.bin
7c5d255f7e7f1c9377cdf8fc6623f7fb458fedbb8f927f17643eda957c0a586b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB22 5372 bytes
font_01_sfnt_off00010d56.bin
c7ecc78012260438a9aa41a2d442e9ac503c767d4498a717b5ef570d57bb6db6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D56 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.