Malicious PDF — malware analysis report

Static analysis result for SHA-256 80b16cf7aaf1c648…

MALICIOUS

PDF

81.5 KB Created: 2021-04-07 03:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f51b6054e965838775bf060db5acedf4 SHA-1: 187092b160b379a0c1d97d44776c473f2feb873b SHA-256: 80b16cf7aaf1c648f5c2a40e94052619fbd1dcbe066089abbe5383aae56140cd
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous external URIs, with one pointing to 'ponafet.ru', suggesting a phishing or malware distribution lure. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is designed to host many links on disposable domains, further supporting a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=wave+properties+lab+answers
    • http://albl.ru/18377743172h149c.pdf
    • http://mastericy-chistoty.ru/jj_rousseau_social_contract_theoryeyw66.pdf
    • http://nibajafij.medianewsonline.com/constitucion_poltica_estados_unidos_mexicanos_1857.pdf
    • http://chempion.coffee/nvram_reset_asus_router1mogq.pdf
    • http://youtube-subscribes.com/98929856372z6wnm.pdf
    • http://dafilor.iblogger.org/61020009084.pdf
    • http://tofotibuwul.sportsontheweb.net/crossfit_programming_spreadsheet_template.pdf
    • http://lovelyhouse.online/you_are_not_everyones_cup_of_tea_meaningwasiz.pdf
    • http://pokelujovemeda.iblogger.org/21467026207.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jatomije.rf.gd/91908981781.pdf
    • http://zotubune.myartsonline.com/vivitukosajakalijugelezi.pdf
    • http://lidazadopedu.rf.gd/answers_to_how_are_you_feeling_today.pdf
    • https://a7193630-a032-4ee2-b136-33837135b76a.filesusr.com/ugd/fac845_5ae9198dad744be8bf25ea89c6b3b6db.pdf?index=true
    • http://kuxoxulid.epizy.com/bibubudogidexuv.pdf
    • http://lejipuzab.epizy.com/thematic_apperception_test_images.pdf
    • https://a2ae8793-a99f-480d-a3bc-849ef63d34f7.filesusr.com/ugd/cc207a_ec8b472c52e74db4b88ae45af6825199.pdf?index=true
    • http://viwudajokufado.atwebpages.com/binomial_theorem_pascal_triangle.pdf
    • https://1801fa0f-56e4-4894-8452-b8e06651d4be.filesusr.com/ugd/868401_0a9d6527d284447486994f9bc92a944d.pdf?index=true
    • http://bamakisubageto.epizy.com/vefoke.pdf
    • https://e5aadbcf-511f-4ee2-989a-4410a22eeed0.filesusr.com/ugd/64930c_9ea210889bc24939a58e8b0970b00a47.pdf?index=true
    • http://kuwulanunemitiv.epizy.com/fugovowatugamutanifiso.pdf
    • http://wemiwapava.epizy.com/arpa-_e_foa_perform.pdf
    • https://uploads.strikinglycdn.com/files/f887f8d7-c36e-46c8-b0a1-0cb23f14d4ab/how_to_assemble_cuisinart_classic_food_processor.pdf
    • http://sinamefutipedot.epizy.com/tadobowejej.pdf
    • https://uploads.strikinglycdn.com/files/c295b53d-4d2c-4d72-9bda-8e766fb6bfd2/razobatekamasewirukagavov.pdf
    • https://uploads.strikinglycdn.com/files/5229f687-bd2a-4c6d-b438-0457557d6843/58495630749.pdf
    • https://7322f44d-5cb7-45f5-8521-a79093f6ce74.filesusr.com/ugd/dd0890_432204fa596e443da7bd6ec644e38a95.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010251.bin
c19f9e4b8b41d364aa1f28d1f484b0c55ecca9279e69a8378efbf50c67b09f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10251 5120 bytes
font_01_sfnt_off000113db.bin
6472d7f3cb7e11b1b4f907b34e19f1c680514e15ba30727ff79a9676b7a31fd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113DB 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.