Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4b5dfb02450f6a2…

MALICIOUS

PDF

84.7 KB Created: 2021-03-23 23:38:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: efa1dd05b1ddaa8a9355987a8bac8b10 SHA-1: 9b28a57621a11e74777e23b8ad15a9d738d6dc62 SHA-256: b4b5dfb02450f6a2ae467c31e57fc67993a7deaf7e1e827276e1f53d577795e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including ClamAV and an ML classifier. It contains numerous external links, with the primary one being `https://ponafet.ru/wix?keyword=flvs+personal+fitness+exam+answers`. The presence of a link farm suggests an attempt to direct users to potentially harmful content or phishing sites. The file's structure and content indicate it's part of a campaign to distribute malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=flvs+personal+fitness+exam+answers
    • https://wekosidofanepa.weebly.com/uploads/1/3/2/6/132696212/a9d0d927107447.pdf
    • https://cdn-cms.f-static.net/uploads/4388629/normal_604f8fdf8e436.pdf
    • https://static.s123-cdn-static.com/uploads/4422392/normal_5fc7c991b3407.pdf
    • https://jitonugen.weebly.com/uploads/1/3/4/6/134617549/42c5260af5.pdf
    • https://static.s123-cdn-static.com/uploads/4481162/normal_5fe50678ce922.pdf
    • https://zunejekuriraruk.weebly.com/uploads/1/3/2/7/132712234/9955892.pdf
    • https://garururukipu.weebly.com/uploads/1/3/4/2/134235121/3429245.pdf
    • https://pupalizote.weebly.com/uploads/1/3/4/7/134716330/zitud.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/792ea35f-60b2-44ef-a389-a002ca2fd445/gemudejipubuxuv.pdf
    • https://s3.amazonaws.com/vaxebisapesi/26897306316.pdf
    • https://uploads.strikinglycdn.com/files/bbb088b3-7e96-4a32-90a2-ef04f9df65a2/gujurulewegut.pdf
    • http://kunamemel.epizy.com/captain_america_entrance_infinity_war_ringtone.pdf
    • https://uploads.strikinglycdn.com/files/03ec0d65-4c0a-4626-a5b7-e26df38ad670/71099143015.pdf
    • https://uploads.strikinglycdn.com/files/832c0e43-22c0-4b67-904c-e397703d7218/primer_curso_de_contabilidad_elias_lara_flores_26a_edicion.pdf
    • https://uploads.strikinglycdn.com/files/8cd020cd-9d44-47ce-8e1b-aa0e256803eb/saterubuvapamofezifadit.pdf
    • http://zazaluvuzusu.rf.gd/sbi_dynamic_asset_allocation_fund.pdf
    • https://uploads.strikinglycdn.com/files/0a33057a-f21b-4f7e-9541-99a9ac92d67c/19221676017.pdf
    • https://s3.amazonaws.com/dedinavesute/best_adventure_story_game_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010944.bin
7a7f02752e6501b24a43d1269abd580fcd44974e6b5d18f9f20fe6957b7ecb94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10944 5224 bytes
font_01_sfnt_off00011b0d.bin
82f78bbe285062ac03a62be9a85be640c0954e328bb63c5254d43087c452912b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B0D 12580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.