Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfeb3211ab2f720c…

MALICIOUS

PDF

78.3 KB Created: 2021-03-05 21:39:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 843ca7ac9d55f9e2eb41b1be2b72a784 SHA-1: 4c33936d0777ea4e39e8cacf7ac28d8b4324e1ae SHA-256: dfeb3211ab2f720c3ff432e7baaa6f79e995261cff2557617980f3fc7c898adf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. One of these links, 'https://ponafet.ru/123?utm_term=bersa+thunder+380+vs+walther+ppk+size', is flagged as suspicious. The presence of numerous links suggests an attempt to manipulate search engine results or distribute malicious content, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=bersa+thunder+380+vs+walther+ppk+size
    • http://larijasetejupaz.mypressonline.com/wipases.pdf
    • http://bumawusuka.mypressonline.com/putelalikuse.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_b005028420bf4032842cfa52d1669fd7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ca3c270d-060f-4fd3-87b9-75e9ae2f0583/over_the_rainbow_piano_accompaniment_sheet_music_free.pdf
    • https://uploads.strikinglycdn.com/files/0c33a7d9-5e36-4889-bec0-9ef667953bb3/fedaperimumafonunanemo.pdf
    • https://s3.amazonaws.com/kovibu/fofitesulusijudabokoxiza.pdf
    • https://uploads.strikinglycdn.com/files/d382834c-58a3-4193-9725-8185549bbd54/sebixipiwonun.pdf
    • https://uploads.strikinglycdn.com/files/c5c58c1d-574e-4a05-9998-4382bd2a737e/gedavufuxud.pdf
    • https://s3.amazonaws.com/jolituzoji/world_cost_of_living_ranking.pdf
    • https://uploads.strikinglycdn.com/files/1b681a80-6d67-4279-acf7-501e264adcb5/harry_potter_book_cover_collage_puzzle.pdf
    • https://uploads.strikinglycdn.com/files/20617ffc-fa0a-4c71-88f6-1c894b5afa57/negative_scale_factor.pdf
    • http://sajoveguduv.onlinewebshop.net/94455532096.pdf
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_7be82eda36934774b0fd57d97f464c83.pdf?index=true
    • https://b564fea6-732e-489f-a029-a72dc6590de2.filesusr.com/ugd/6a4619_c41f8819d11e4486b3469f7c2fe7f916.pdf?index=true
    • https://59b7e61f-9850-45ee-add2-e9646db267e4.filesusr.com/ugd/5b9365_3deac86ecbee4b15a4222fad106c418d.pdf?index=true
    • https://97d49ff2-d914-4ae4-8ac8-5e5cf5f77cad.filesusr.com/ugd/6350c7_0cdf7b8c80b64232b9af19f1dfd928fe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a7f8e03a-b2ce-4dc6-8d0a-8d3208815a88/viktor_frankl_meaning_of_life_youtube.pdf
    • https://uploads.strikinglycdn.com/files/67c6eb32-1d8e-473a-a4b7-2741f3056986/vebutawivil.pdf
    • https://uploads.strikinglycdn.com/files/12311096-e756-4e4b-ad85-cbcaed0ad132/la_ciudad_de_los_perros_pelicula_completa_online.pdf
    • https://uploads.strikinglycdn.com/files/ec808a79-ff13-4b76-8218-67b072bc0ba2/ledulamekazab.pdf
    • https://uploads.strikinglycdn.com/files/63ca1e9d-3103-4fda-8fc3-c0317fa48b78/82082970420.pdf
    • https://uploads.strikinglycdn.com/files/fb5802c5-19ab-4706-8a3d-d0e16593f08d/wakuwe.pdf
    • https://uploads.strikinglycdn.com/files/f152eb51-927a-4331-b357-f4a29b35b117/alice_in_wonderland_quotes_where_do_you_want_to_go.pdf
    • https://uploads.strikinglycdn.com/files/1b0a9031-0e52-4a4e-ae10-ee51d56c2098/mozajujujowum.pdf
    • https://s3.amazonaws.com/xufoxorog/captain_picard_jacket_uniform.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f220.bin
e684ce174139f2dc872df5c17245a5211156523b573ded528f773c12a481d8a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF220 5864 bytes
font_01_sfnt_off00010621.bin
ac7d08f68b89ba01fef03f19ed1b73c462bbedab7a555f13faad33351cd5d158		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10621 11112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.