Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5f61f1298dc9527…

MALICIOUS

PDF

74.7 KB Created: 2021-04-06 06:05:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8843e545f842f20e3f2566efe6fe548c SHA-1: b840aa293a595c81436bfcb933e0b0f8d2b883ce SHA-256: b5f61f1298dc9527a4b8d00c3fb5cbc01881bcab0702712656d48fd9ab9592af
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, with a critical heuristic identifying it as a PDF SEO link farm. One of the primary external URLs, https://ponafet.ru/wix?keyword=leapfrog+letter+factory+phonics+and+numbers, is flagged as unknown reputation, suggesting a malicious intent. ClamAV also detected the file as Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0, reinforcing its malicious nature. The document's structure and embedded links indicate an attempt to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=leapfrog+letter+factory+phonics+and+numbers
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1ec2440a-21cb-4ac0-aa5e-85b79613827e/55324539362.pdf
    • https://82656f1f-dd0f-4426-89ca-c5688288f975.filesusr.com/ugd/56de54_918658bbb8df4cb988fde4eb7aa0b285.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c48c4152-e48f-4a31-9f89-251d38af3c4b/napado.pdf
    • https://41c240d9-b4af-4f88-8fa4-2a41cce3a287.filesusr.com/ugd/01bc73_399af03762374dd286bbc333395ca2e7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/19c3cedb-1fe3-45ce-8d69-63850bbfd8cc/winin.pdf
    • https://78fc25e8-d533-4ec3-a480-3617e8cc0d4b.filesusr.com/ugd/aa5866_9e9871c5a0e248e6a19cd5fed6081c56.pdf?index=true
    • https://2a26c5f8-c4f8-4af8-830b-7e2c9961bd8e.filesusr.com/ugd/2e4362_c22825abcb384db08d5e8f11f763ecc1.pdf?index=true
    • https://7980b0ff-2efe-48f4-a442-6c87bca80713.filesusr.com/ugd/9bd8c3_c5071437147846f697f662d6d101ce9d.pdf?index=true
    • https://s3.amazonaws.com/selivuvumepaveb/91698625660.pdf
    • https://0eaabcdb-938a-45a6-85a3-1a7d796bbcdd.filesusr.com/ugd/8d6d25_340adbd9e6eb4aac8ff3b8c059ec31b4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/237e61aa-083f-4921-a6cf-0aa6e2143f4a/jlab_neon_bluetooth_headphones_walmart.pdf
    • https://9d349da1-218b-4b59-9e37-2a90cab56d40.filesusr.com/ugd/de9003_5ad8bf8a4c56440e89788f274108cca7.pdf?index=true
    • https://s3.amazonaws.com/dosalapasenow/34422134687.pdf
    • https://s3.amazonaws.com/rumezo/significado_de_informante_en_ingles.pdf
    • https://s3.amazonaws.com/rikolesafuwofar/wahl_clippers_service_manual.pdf
    • https://uploads.strikinglycdn.com/files/b7e0120e-a8f3-41f4-b4d2-64f99d3de8fc/vedopopoguzagotimadavoba.pdf
    • https://uploads.strikinglycdn.com/files/1a90f794-6955-4d95-9597-59184ad1e01c/napegegixorosokilebajatad.pdf
    • https://uploads.strikinglycdn.com/files/9d5ed8c2-3b50-406c-8906-b9bd3e38ad21/in_christ_alone_hope_is_found.pdf
    • https://uploads.strikinglycdn.com/files/ea8b706d-0f5a-46a0-9737-3dfe45df9ec1/povoxu.pdf
    • https://uploads.strikinglycdn.com/files/3485089e-c0d4-4acf-bc58-a1f365181274/us_history_critical_thinking_questions_answers.pdf
    • https://uploads.strikinglycdn.com/files/2eb58189-6668-4c4f-9fc1-0e2b24af9c48/7406370982.pdf
    • https://uploads.strikinglycdn.com/files/0d722341-35ca-4ec7-93d8-5c64e2159971/volume_of_cuboid_calculator.pdf
    • https://184d393c-d2ff-49e5-bbcb-48626b1dbf88.filesusr.com/ugd/49be48_c9b3b209e952454196d3d86d2832da4a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3d0.bin
086840eb9e39833f0e17c3dde58b702ca02d2f4900237de382a7e2dfd7085f58		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3D0 5752 bytes
font_01_sfnt_off0000f740.bin
7e76546ec9392632e570503c4b560ca641103caf7e7ed35d229980302f0ee8b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF740 11104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.