PDF malware analysis — malicious · 8a0aba4211f5c92e

MALICIOUS

PDF

87.4 KB Created: 2021-03-20 01:54:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13

MD5: 6daa4cd5aa75f8bdf4256e8abf20f771 SHA-1: 68d43de3feaaf63ef138ca673d7562f348fd2996 SHA-256: 8a0aba4211f5c92e0ca30af1a8f978af1bc0d13fb2bbe2a838c94cba415ab95e

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are dynamically generated and point to SEO-optimized content, indicating a link farm designed to attract traffic. The primary malicious URL identified is 'https://ponafet.ru/wix?keyword=2020+high+school+basketball+player+rankings', which is likely used to distribute further malicious content or phishing pages. The presence of numerous benign-looking PDF links suggests an attempt to camouflage the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/wix?keyword=2020+high+school+basketball+player+rankings PDF link annotation
- http://sevibifodome.getenjoyment.net/21254464324.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/suzixegazunow/88594985142.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15c38887-d8c8-414f-bbe3-5a5e096a6117/40803098367.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3dce6206-50bf-4460-bb49-54d11fea23e1/dunkin_donuts_chai_tea_latte_calories.pdfIn PDF document text
- https://s3.amazonaws.com/risalenefazozo/telugu_movies_free_latest.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b75b064-f364-44c3-9c7b-3e380778cc64/2016_ford_mustang_gt_for_sale_near_me.pdfIn PDF document text
- http://sajulugebimisu.myartsonline.com/mega_construx_probuilder_masters_of_the_universe_castle_grayskull.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f54769f1-eb3c-498b-8afd-c4f131c4c9fc/68866911963.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fee6c7bc-7380-46de-b0cf-2d16b41b8d22/85530205308.pdfIn PDF document text
- https://s3.amazonaws.com/tunenijexe/luwefazozapoxepisim.pdfIn PDF document text
- https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_2b425563736444119fc55a69a04cff34.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a6cde585-9f98-480a-b3c6-6064193a5244/dazemegofepanupigofopi.pdfIn PDF document text
- https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_849d4686246449bf86360f1c79a25de4.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/kufazete/24329710480.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5fa4573b-ddc4-4c26-a1cc-f1b14800ee8a/xofadokodorelufofarubejig.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1dcc1e06-b1ba-437b-8266-75c53cd8cd6a/manifiesto_comunista_karl_marx_libro.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df8fffe5-f65d-4116-a6d8-785706ae2b58/melhores_lugares_para_viajar_em_junho.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5891b465-4f24-4ff4-9f4c-a971628eab14/percy_jackson_and_the_olympians_movie_3.pdfIn PDF document text
- https://e5720c39-3c1c-4a52-9be9-509675281b5a.filesusr.com/ugd/0010c8_37304f3d953744a88d768199ab9186e7.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c32ea1e3-901a-440d-ad2f-3234a42ac5a3/learn_korean_language_sinhala_free_download.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011774.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11774	5680 bytes
SHA-256: `83a1e1616e753e9b24975895c3e0bc021a3544826206e58df65755dc63d02fb6`
`font_01_sfnt_off00012ac5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12AC5	11092 bytes
SHA-256: `510fdfed40131c28f2ee83050208475be69b95d37d2b62fb05df84385f19f997`

Open this report in the interactive analyzer, or submit your own file for analysis.