Malicious PDF — malware analysis report

Static analysis result for SHA-256 d81ed7f8deb3db1f…

MALICIOUS

PDF

79.0 KB Created: 2021-05-03 00:31:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 559e575917a4953a6f43ff1248ecd469 SHA-1: 69126b69dcbb9ae19319f8702c63aecfd3dea690 SHA-256: d81ed7f8deb3db1f24a143a640f33a72a624cba4a43886d82d031de59dab984b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. The primary malicious URLs, such as 'https://ponafet.ru/strik?utm_term=spanish+verbs+dictionary+pdf' and 'http://gapokaro.mywebcommunity.org/21889174172.pdf', suggest a phishing or content-farming scheme. While no scripts were explicitly extracted, the PDF structure and heuristics strongly indicate malicious intent, likely related to initial access via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=spanish+verbs+dictionary+pdf
    • http://gapokaro.mywebcommunity.org/21889174172.pdf
    • http://xejopegig.mypressonline.com/57805351322.pdf
    • http://tudeboroxope.22web.org/what_is_a_visual_learner_called.pdf
    • http://zevewidojodot.mywebcommunity.org/degenerate_distribution.pdf
    • http://pezafuvux.iblogger.org/pepiwojolowuju.pdf
    • http://feremujidonigu.getenjoyment.net/brene_brown_definition_of_vulnerability_dare_to_lead.pdf
    • http://saripituxupagek.sportsontheweb.net/sekuwegaduvovulesolu.pdf
    • http://varigiz.iblogger.org/el_coreano_loco_playlist.pdf
    • http://wemedimixodi.iblogger.org/danidivuzexemelovegeko.pdf
    • http://momarivido.mypressonline.com/91275646255.pdf
    • http://lirifajo.sportsontheweb.net/zekad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/a52b4843-a3c5-4629-ab3d-78fe56988b27/dd_3.5_magic_items_by_level.pdf
    • https://uploads.strikinglycdn.com/files/6af3845e-00cf-4ac6-8702-49e30675e453/canon_mg6320_print_head_replacement.pdf
    • https://be9c8297-50e9-4ec8-be22-7cc4068ef96a.filesusr.com/ugd/fc3b0b_881ddecec46849eeb408ed033188e755.pdf?index=true
    • https://38e81cab-313f-462b-917d-d566bf782aa4.filesusr.com/ugd/36aba1_448367e0f645440aaa29b64f892d7710.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4b9e5e91-d9e9-4de2-a693-a1d590c691bb/84199751246.pdf
    • https://uploads.strikinglycdn.com/files/32623acb-b707-4dbe-8d39-4daee3ed208f/how_to_put_batteries_in_mini_diamond_wand.pdf
    • https://uploads.strikinglycdn.com/files/92949992-5502-49c8-8855-1028ca7b88ba/93804908735.pdf
    • https://e192e36c-395d-4660-9df6-aa7aed00c30a.filesusr.com/ugd/3aee12_7d2eb5f8e0e740288765cdc3ca500bf2.pdf?index=true
    • http://pakifisaxere.epizy.com/lemaxibosadek.pdf
    • https://uploads.strikinglycdn.com/files/4e43343a-4538-4790-aeb2-84523c9c3acb/quran_with_hindi_translation_and_tafseer.pdf
    • https://uploads.strikinglycdn.com/files/b4e25cc4-adc4-4bb3-97dd-9a0569dcdb43/wosonotobepudujelifo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7d0.bin
f695b71cd105a9df4839f2c47882454ef979c24ade94e526d67c169f91c8efae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7D0 5404 bytes
font_01_sfnt_off0000fa1c.bin
c6fcd0ad713022108631a1427de2f6df7d282e352f531307648369539b44193e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA1C 11372 bytes
font_02_sfnt_off000120cc.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120CC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.