Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4c99bd9a90c0904…

MALICIOUS

PDF

99.2 KB Created: 2021-04-01 10:12:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 49a14009949ccec9562204f01252b7e4 SHA-1: cfd35bebaaa3ba80b06fb2d6c3ea591cceddb895 SHA-256: d4c99bd9a90c090475caa0a45c326ba7352f440a90563ef61b257b74e55fb939
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan-like behavior. The PDF contains a significant number of external links, suggesting a link farm or SEO manipulation tactic. One of the primary URLs extracted, 'https://ponafet.ru/strik?utm_term=present+perfect+tense+exercises+with+answers+printable', is likely the intended destination for the user, potentially leading to further malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=present+perfect+tense+exercises+with+answers+printable PDF link annotation
    • http://medebupima.sportsontheweb.net/movie_making_apps_for_macbook_pro.pdfIn PDF document text
    • http://garobunatuxovi.scienceontheweb.net/blender_anime_character_modeling_tutorial.pdfIn PDF document text
    • https://cdn.sqhk.co/rekutadis/hb1oFBP/itopod_optimal_floor.pdfIn PDF document text
    • http://larijasetejupaz.mypressonline.com/2013_yfz_450_owners_manual.pdfIn PDF document text
    • https://cdn.sqhk.co/nimabugokofa/dNYjdgh/rare_form_brewing_trivia.pdfIn PDF document text
    • https://cdn.sqhk.co/detazido/Q4eOhgu/ropebifuvupatenororu.pdfIn PDF document text
    • https://cdn.sqhk.co/takoxuwal/aha5Yie/19241879692.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://538d8494-0c7d-401a-b890-0485f6bc7bca.filesusr.com/ugd/29c71c_b2de181d31df493a8dbbfb629ab65b3c.pdf?index=trueIn PDF document text
    • http://masemipeba.myartsonline.com/lejokugipukajilabisagaguv.pdfIn PDF document text
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_481bde40472b441db5fdfaf6b5ec7c4d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/pidufozu/ribapebexaxatewuvo.pdfIn PDF document text
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_48320b044cd040b39fbbff5ad7f5dfe2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xonobijikivo/rulit.pdfIn PDF document text
    • https://s3.amazonaws.com/xozeb/65225245935.pdfIn PDF document text
    • https://s3.amazonaws.com/safago/what_does_less_than_zero_mean.pdfIn PDF document text
    • https://s3.amazonaws.com/guvovigo/49140394389.pdfIn PDF document text
    • https://46a1ac71-481d-4a85-b709-d40f3a189542.filesusr.com/ugd/143c98_85ef1be78e2640f28a1b21d2d9de52ed.pdf?index=trueIn PDF document text
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_db3c282c8a9a47f298c962f9d2143f01.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gekojulog/kixiwupatetaxodafe.pdfIn PDF document text
    • https://65f7c47b-6fa2-4aed-9649-637438a88329.filesusr.com/ugd/8fb471_562bdb476f10485eafc6bd3b5d199a2f.pdf?index=trueIn PDF document text
    • https://d3dd75b0-514a-4dbf-a1f7-973a5b421fb1.filesusr.com/ugd/5b46ec_ea792ae8817b4ac59b7dee54bcac609e.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013892.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13892 5084 bytes
SHA-256: 0566d658ee306dc4e3bfd34ab6c751d2da60191470ee4d859e400838c69c7b75
font_01_sfnt_off000149d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149D4 11528 bytes
SHA-256: a9b47fc9a8e7d816a42192abce9e900d0235104de9005f2291e9642cbd61fbc5
font_02_sfnt_off0001712d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1712D 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3