Malicious PDF — malware analysis report

Static analysis result for SHA-256 85efead237cb48fb…

MALICIOUS

PDF

82.7 KB Created: 2021-04-10 08:06:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 434ec13a35660806d501e71ae2e8e6e4 SHA-1: d12eefe265663bd30cc149d9d9b7c6e02d8f8f6b SHA-256: 85efead237cb48fbba7e7e420feb42d5ae8ddcd00b39e80604d0132d71037028
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. The primary malicious URL, https://ponafet.ru/strik, is likely used for phishing or to serve a second-stage payload. Although no scripts were explicitly extracted, the PDF structure and the presence of many external links suggest an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=diana+palmer+jacobsville+series+list
    • https://namowabe.weebly.com/uploads/1/3/4/0/134000139/zawumawu-tikobepemisesu.pdf
    • https://mipopifedaruw.weebly.com/uploads/1/3/4/3/134356442/d881431d9adf11.pdf
    • http://salizurewaki.mypressonline.com/77164053623.pdf
    • http://ruxuzosok.mywebcommunity.org/83482204959.pdf
    • https://zokupirijega.weebly.com/uploads/1/3/4/0/134000213/peposakukajo.pdf
    • https://fotizewuzawefuv.weebly.com/uploads/1/3/4/6/134668380/fikasuluni_rirevi.pdf
    • https://povejuzulegaje.weebly.com/uploads/1/3/5/3/135301343/pifomozis.pdf
    • https://ruwatija.weebly.com/uploads/1/3/4/8/134846771/diwina.pdf
    • https://cdn-cms.f-static.net/uploads/4527237/normal_603f4fa4ee9ff.pdf
    • https://sibafuguwo.weebly.com/uploads/1/3/4/6/134679660/leseno_fivaro_dogozagebezam.pdf
    • https://cdn-cms.f-static.net/uploads/4381090/normal_6032737d13846.pdf
    • https://fuxiwajusefu.weebly.com/uploads/1/3/4/6/134617271/towegevenemu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7709c253-6526-4c72-87e9-89a386230d98/xodibin.pdf
    • https://uploads.strikinglycdn.com/files/e6c9fc6e-1d6c-4b42-9d2b-a0703796924b/holy_quran_software_for_pc.pdf
    • https://2dcb0092-dd22-4cef-90c1-8c398f802bb7.filesusr.com/ugd/ff3115_28e1874d0cdd4041b74788e9a3dfc0ba.pdf?index=true
    • http://wugetad.myartsonline.com/19108427642.pdf
    • https://uploads.strikinglycdn.com/files/3e9ca5cf-5e4c-4b10-81da-0a09e96d9f89/37701199729.pdf
    • https://1058d175-53f8-4d86-9201-ae9c1fc74009.filesusr.com/ugd/62a633_1bc65934633046b4958e46275620477a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/de6ff2d0-e36c-4271-a8f6-e74144023c75/how_to_explain_climate_change_to_a_child.pdf
    • https://45f0f727-c607-4398-b3b7-8b42e23b21b2.filesusr.com/ugd/0a84ca_5b1eb516e71e46ed94dcff9aac6d58dd.pdf?index=true
    • http://nedizilunok.myartsonline.com/sejarah_perubahan_uud_1945.pdf
    • https://d89d6b52-6e76-4e18-bccb-bd7428cfddad.filesusr.com/ugd/02beb7_f7d54005c6c742719a7294901aa40558.pdf?index=true
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_edf83b138bc94ba18b5ee5d8d5516ccf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83286b1f-a206-4469-bd57-947a9deacd08/bose_321_series_ii_remote_control.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000104cc.bin
3bba64b61fbf89f3acfab2c7cb51bdba748951b0410613aaf2a1a154a3a4c542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104CC 5356 bytes
font_01_sfnt_off000116f3.bin
44a68f2d5ee0c83f34f887c2b875ad90af6075c728a39a1ab3f3c8836f560485		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116F3 10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.