Malicious PDF — malware analysis report

Static analysis result for SHA-256 65fd9fa944b7967c…

MALICIOUS

PDF

78.5 KB Created: 2021-03-24 06:19:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b05e1584a0dfd0ec6a1e54fa059732d9 SHA-1: a13d345e2219be5c6a2a9467dac4ee02408f6a14 SHA-256: 65fd9fa944b7967c1c87559281fd80499f14cc4cd25ac35ff890a4c63eed5d4d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to other PDF files, indicating a link farm. The primary external URL observed is `https://ponafet.ru/aws?utm_term=someone+like+you+lyrics+van+morrison+meaning`, which is presented in a context suggesting it's a search result for song lyrics. This suggests the document's purpose is to drive traffic to these linked sites, likely for advertising revenue or to distribute further malicious content. No scripts were extracted, but the PDF structure and link farm heuristic strongly suggest a phishing or content-luring attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/aws?utm_term=someone+like+you+lyrics+van+morrison+meaning
    • https://maladekokox.weebly.com/uploads/1/3/4/7/134745457/5889311.pdf
    • http://bomepufibawil.scienceontheweb.net/dell_optiplex_3020_wont_power_on.pdf
    • https://koxizekeb.weebly.com/uploads/1/3/4/7/134770308/jegajejifazefif_pazak_ludaju_pefolon.pdf
    • http://jukojadijomefar.medianewsonline.com/data_mining_software_in_java.pdf
    • https://sutulozutujak.weebly.com/uploads/1/3/4/8/134884412/9a42067718.pdf
    • https://nolipugi.weebly.com/uploads/1/3/4/6/134652161/kusumirajasifozugebu.pdf
    • https://fajupumivut.weebly.com/uploads/1/3/4/1/134108914/zuluferurolex-dinisozakejewe.pdf
    • https://dawiganolakegoz.weebly.com/uploads/1/3/4/3/134367714/gipug-xibugekixafitol-desezot-kekuwimegoja.pdf
    • https://nulejekenafu.weebly.com/uploads/1/3/4/3/134367691/5033204.pdf
    • https://kenilajapa.weebly.com/uploads/1/3/1/0/131069910/dutujomoxorax_mimom.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ccf9a253-9df5-4570-8d29-4ebb413e3670/voxididopebamulaforewixo.pdf
    • https://uploads.strikinglycdn.com/files/2fe3232e-2301-4db8-9915-6f47a9f2d8bf/how_to_factory_reset_locked_iphone_x_without_computer.pdf
    • https://5c9c3928-af7d-4195-9e43-9647d7263c15.filesusr.com/ugd/508998_d71017cbf3e54b30b67b84032da8120c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e87d68ff-c2c3-4560-9e4d-cf3530a66ab1/fezora.pdf
    • https://7e079b21-6cfc-4bbc-a8af-001f4930a7f2.filesusr.com/ugd/f66805_e502621c019f492ab382117abae66f24.pdf?index=true
    • https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_7c7498a654bb4263954e07db46a55e94.pdf?index=true
    • https://c7fb3737-a2fb-4e06-b71d-f78b648bb0a4.filesusr.com/ugd/a9248e_f0be858f132146e8b6644605b5aaccce.pdf?index=true
    • https://uploads.strikinglycdn.com/files/712cd2ba-7f2d-4559-9e8e-e6198837dc3a/40603281325.pdf
    • https://uploads.strikinglycdn.com/files/0116b480-22ab-408e-9099-b2fff6b1e609/63124416257.pdf
    • https://438c9214-13ba-44a2-8469-a4c97ff43377.filesusr.com/ugd/5d46a0_9e4856e6c9c6476e9962be95895d108d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3afc27f1-cdcc-46d0-a9d0-40669959afb5/declaracion_universal_de_los_derechos_humanos_1948_resumen.pdf
    • https://uploads.strikinglycdn.com/files/ebc13595-8a0d-4387-847d-5c111906fc34/76484666681.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e715.bin
9e41b0b12655d09202f67bfde6679c565988c8a7d76e23e4189875eb6dcaa254		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE715 5252 bytes
font_01_sfnt_off0000f8d1.bin
312f6c2471d893ac12aaa15fbbd78c768508b264f1d3f4d731d6c77396c9e2da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D1 11684 bytes
font_02_sfnt_off00011f60.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F60 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.