Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1c52102829d763a…

MALICIOUS

PDF

92.0 KB Created: 2021-03-12 20:58:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d852335720b9654969590a215c50934 SHA-1: 2cdc6d00852b2e6503cbe2500cb45ce1ab4f8a71 SHA-256: b1c52102829d763a0ba0e57f314af4ad2dd6e7fdad406271d231c49456d55b1d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, many of which are likely part of a link farm designed to improve search engine rankings for malicious sites. The primary malicious URL identified is 'https://ponafet.ru/123?utm_term=authorization+letter+for+birth+certificate+template', which is likely used for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=authorization+letter+for+birth+certificate+template
    • https://waxebusesu.weebly.com/uploads/1/3/4/7/134770319/rigemofaw-kojetabumaxaxu-sirat.pdf
    • https://puxonuge.weebly.com/uploads/1/3/1/3/131383548/bigazitukiviwuzodef.pdf
    • https://gogabaxada.weebly.com/uploads/1/3/4/8/134852864/wuloranitumenofigi.pdf
    • https://janolonixo.weebly.com/uploads/1/3/3/9/133987325/genarufupar_logafolusagot_xikewibuditox.pdf
    • https://wefidabewurar.weebly.com/uploads/1/3/1/1/131164485/7379850.pdf
    • https://najigojuvunijo.weebly.com/uploads/1/3/0/8/130874658/6840682.pdf
    • https://wonozonozosog.weebly.com/uploads/1/3/1/3/131398184/milawuk_wirunawoxa_tiliva_pijojudaroxem.pdf
    • https://vutuwoti.weebly.com/uploads/1/3/4/7/134720014/dda78cd7d86c.pdf
    • https://mavakonagidesa.weebly.com/uploads/1/3/1/4/131483278/9034967.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gatazeromij/85513223652.pdf
    • https://uploads.strikinglycdn.com/files/93bbaf0d-153a-4559-af50-8b26e6c8c2cd/conservation_of_momentum_worksheet_answers_chapter_8.pdf
    • https://uploads.strikinglycdn.com/files/ce887a66-5bcd-4155-899e-6d8e52deea91/97993051124.pdf
    • https://uploads.strikinglycdn.com/files/adea8357-7e14-4b28-851f-dcd14c15d566/vomawe.pdf
    • https://e82ff0bd-cb1a-4782-8b92-0a0fb7657660.filesusr.com/ugd/d17951_8c9118fd43cd4536a81297c97eef4860.pdf?index=true
    • https://s3.amazonaws.com/titugome/shakespeare_sonnet_30_sparknotes.pdf
    • https://ec451167-49e0-489e-a150-d7dc0ecf9264.filesusr.com/ugd/fe0276_833d830349504859a7819bfacf46c64a.pdf?index=true
    • https://1c684d3d-b1aa-4d58-8f8e-408f9cf37fac.filesusr.com/ugd/64d889_ca5dc0382e5341ca88df37ac55ca9daf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76173819-82bd-4804-85a0-d2877aac0fcf/popstar_never_stop_never_stopping_streaming_australia.pdf
    • https://uploads.strikinglycdn.com/files/c2e864b7-b36c-4e18-93b7-29cf0fc1dc71/brother_pt-1280_p-touch.pdf
    • https://s3.amazonaws.com/gopuze/44712812612.pdf
    • https://4c72699b-aa2e-4dc8-8bd5-1a54e8f938a6.filesusr.com/ugd/f3cb45_89e22fd509ee42a4a238602a8e8c007d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ebd5f757-e315-4b6f-a79f-d99a5e58c095/the_shadow_over_innsmouth_page_count.pdf
    • https://s3.amazonaws.com/kofabube/is_epic_the_best_emr.pdf
    • https://uploads.strikinglycdn.com/files/a5995c6e-7444-4598-ba5a-cb9fa42a9b34/vegezewewobugaxubokinirum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012ade.bin
6972664021adeb67edaa50a52f28d3ae2bbaed27b349d777d69166efccb26e7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12ADE 5256 bytes
font_01_sfnt_off00013ca0.bin
454cb3cfb652b52ec1dadae7ae411d24a968346dbd3e0cfee2b8ed268f0f0c3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13CA0 11080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.