Malicious PDF — malware analysis report

Static analysis result for SHA-256 be17f206d14ddbb1…

MALICIOUS

PDF

86.6 KB Created: 2021-05-30 01:51:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d4bc924ed340c013340392c8c9c4625b SHA-1: e000d98e225321f8a94630b6a5e6c1feadc88500 SHA-256: be17f206d14ddbb1d34c718e6129d46301131d47723191aa63f94e325be094fa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or SEO spam campaign, indicated by the 'PDF_SEO_LINK_FARM' heuristic and the presence of numerous external links. The embedded URL 'https://ponafet.ru/strik?utm_term=voice+monkey+voice+changer+with+effects+pro+mod+apk' suggests a lure to a potentially malicious site. The ML classifier and ClamAV detection further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9766

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=voice+monkey+voice+changer+with+effects+pro+mod+apk
    • https://dafufiwe.weebly.com/uploads/1/3/4/3/134368649/6150852.pdf
    • https://cdn-cms.f-static.net/uploads/4457332/normal_60179a60db0a2.pdf
    • https://voxuvuru.weebly.com/uploads/1/3/5/3/135390020/9835185.pdf
    • https://static.s123-cdn-static.com/uploads/4450876/normal_5fca3bef17e38.pdf
    • https://dopizuledukure.weebly.com/uploads/1/3/2/3/132302960/vimalekinaderok_mevop.pdf
    • https://wejafivikime.weebly.com/uploads/1/3/0/9/130969279/c26ae03e8354e05.pdf
    • https://tepikibinaf.weebly.com/uploads/1/3/2/3/132303010/visapopub-zuxovujesorixal.pdf
    • https://kiwuvewe.weebly.com/uploads/1/3/7/5/137509443/nusegog-buzetugawel-rakabavixuvomiv-defapilevupifu.pdf
    • https://kumaneke.weebly.com/uploads/1/3/4/6/134682587/5814005.pdf
    • https://cdn-cms.f-static.net/uploads/4444115/normal_602e13efb3f59.pdf
    • https://lixabepona.weebly.com/uploads/1/3/4/5/134530066/nisowufaxarag-lugixerud.pdf
    • https://bimeriwuju.weebly.com/uploads/1/3/4/9/134901074/xovemaxopopok.pdf
    • https://cdn-cms.f-static.net/uploads/4381532/normal_606a3f7c55186.pdf
    • https://gubetixe.weebly.com/uploads/1/3/4/3/134314982/sifavixaja-mujizaliba-zufenun-subutofotog.pdf
    • https://cdn-cms.f-static.net/uploads/4449602/normal_60661b000ab9f.pdf
    • https://cdn-cms.f-static.net/uploads/4479932/normal_600e5c7bc8a49.pdf
    • https://cdn-cms.f-static.net/uploads/4377116/normal_6026b30bd58f1.pdf
    • https://cdn-cms.f-static.net/uploads/4393776/normal_5fd8f38a9ec24.pdf
    • https://jurivulanikep.weebly.com/uploads/1/3/4/5/134525456/susalokazam.pdf
    • https://cdn-cms.f-static.net/uploads/4373757/normal_60657a937efa4.pdf
    • https://duveniwapawas.weebly.com/uploads/1/3/4/2/134265961/db46faad7c820d3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2e3.bin
c73373c7c5fd9ad42253116fb7d05d5ef4dcf2d4f7660f74b1695f99b5cf3f5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2E3 5820 bytes
font_01_sfnt_off000106a3.bin
888074bb279871758e950718a25e4cd1207bc25232287d052e7b936c29ffb5b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106A3 7232 bytes
font_02_sfnt_off00011eea.bin
f2a564473c19a48e6a4e058598a7bf05cabd4a91bb48aa23acd4913d0497faa6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EEA 11308 bytes
font_03_sfnt_off000145a3.bin
dbadb15f6ddc9ab74f431fe4ef4013782472b7644048a7c50a3cb27bd7ee3fae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145A3 17344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.