Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a6f2f4209b41eeb…

MALICIOUS

PDF

106.9 KB Created: 2021-03-29 23:16:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2b6fb76a20983fc3664b935824cd66f SHA-1: eb784fdd2ae7e0bcff29ab61fdc79543b17b6d37 SHA-256: 7a6f2f4209b41eeb6f3508bd45247eb2c4bd91157096d5f6deb07e9469039bd4
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a 'Fake invoice / payment lure' and a large number of external PDF links, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate maliciousness. The presence of embedded URLs, particularly the one pointing to 'ponafet.ru', suggests an attempt to redirect the user to a malicious site for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=tom+clancy%2527s+jack+ryan+season+2+characters
    • https://mekuzawejonoma.weebly.com/uploads/1/3/1/6/131606345/6d7cdc4a0ab.pdf
    • https://niwosegebopusa.weebly.com/uploads/1/3/4/5/134583118/de3a2eee.pdf
    • http://profer-opt.ru/critical_thinking_skills_developing_effective_analysisry0db.pdf
    • https://lamujotidavupat.weebly.com/uploads/1/3/4/3/134375272/4382044.pdf
    • https://jilibawijoza.weebly.com/uploads/1/3/4/3/134363321/surijopasufoduguxo.pdf
    • https://wupugosow.weebly.com/uploads/1/3/1/3/131382590/rubajaw_fojotipejereg_kekanuj_robufozesegivut.pdf
    • https://refodalisa.weebly.com/uploads/1/3/4/4/134437853/f0490.pdf
    • http://copyright-notice-ig.com/37879739392b50oo.pdf
    • http://dalnoboyi.xyz/what_are_some_adaptations_of_desert_plants_and_animalssbg3y.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0f7a2101-273c-4f7f-b1fd-079d1ad923c1.filesusr.com/ugd/a7ea6f_be888e5f07164b1d9d2c52cc8ba70c46.pdf?index=true
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_ab8b8d5ee33747b584f4d2ca71ebff7f.pdf?index=true
    • https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_a8a0982f528d4c31bf7c0b9e06ade02e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/37c3a721-2093-4cc0-a438-b4f3cc542cdb/fojapebetoru.pdf
    • https://uploads.strikinglycdn.com/files/630dde21-b0a1-4d72-8f07-ace196586c7f/82229298007.pdf
    • https://uploads.strikinglycdn.com/files/b3f6304c-2472-4b76-9aa1-f4801bfae134/story_writing_worksheets_for_grade_7.pdf
    • https://d6bf9bfb-c092-4b17-ab9f-91da83e6a9d2.filesusr.com/ugd/d7ad14_32706f7e14144304b873c32625537598.pdf?index=true
    • https://29ca30ec-7ad4-487f-8637-d2d67f3a323c.filesusr.com/ugd/10b11f_2e436fa7aede4d648e5224991c9464d7.pdf?index=true
    • https://882e4f53-a7e1-4d4a-89e8-a6e6d9f9b805.filesusr.com/ugd/9a13d2_e04923a70b3543c3b8fc7ec63358394d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2b67de67-e006-40ef-b6ad-8e1921e62bd0/22804725891.pdf
    • https://uploads.strikinglycdn.com/files/bf479288-85f6-42f7-a797-19ea3b8f64ea/16163384278.pdf
    • https://04934832-22f3-474e-96de-b9d593e92251.filesusr.com/ugd/f390e7_044a2567468942f6a72ceb8f53ad3991.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001641a.bin
5b0e9342ae99f452873d182520ff682e03b43ae0afac51925d57fdbc1829c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1641A 5396 bytes
font_01_sfnt_off0001765f.bin
18ed01b93c24e49f6aa32e35cbaf0806649aac5e33a9ea610e3f9cf74b7e67e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1765F 11820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.