Malicious PDF — malware analysis report

Static analysis result for SHA-256 edc0252196aae9d3…

MALICIOUS

PDF

91.8 KB Created: 2021-03-30 10:56:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75f417a7c93824dd8f6c7d42e1ff5925 SHA-1: 820dbed793b27c8a915ac7ee0e22c82b6dc49049 SHA-256: edc0252196aae9d368a140179be194bf3a502e26a67439882bf92e867d7990d8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged as malicious by ClamAV and an ML classifier, indicating it's likely a phishing or trojan delivery mechanism. The heuristic PDF_SEO_LINK_FARM indicates a large number of external links, with 'https://ponafet.ru/123?utm_term=argumentative+essay+phrases+pdf' and 'http://pemegira.22web.org/52202707698.pdf' being prominent examples. The document body, though heavily obfuscated, contains references to 'argumentative essay phrases pdf' and the authoring application 'wkhtmltopdf', suggesting a lure to disguise the malicious link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=argumentative+essay+phrases+pdf
    • http://pemegira.22web.org/52202707698.pdf
    • https://static.s123-cdn-static.com/uploads/4486215/normal_5fc8c82ee24dc.pdf
    • https://cdn-cms.f-static.net/uploads/4462038/normal_60249c45d204e.pdf
    • https://static.s123-cdn-static.com/uploads/4450728/normal_5ff5720826db3.pdf
    • http://retapadu.medianewsonline.com/universidad_del_tolima_sede_tunal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://uploads.strikinglycdn.com/files/101f684b-f662-4b90-84bd-073a083fa9ac/pentair_superflo_parts.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_ee7a870b14624b35948ff031ba3278dc.pdf?index=true
    • https://cd29ef07-728f-4a0b-b57b-23e770395c36.filesusr.com/ugd/f14cf6_72f8e5926f2846e5923daa8a8d324faf.pdf?index=true
    • http://jelunegizubu.atwebpages.com/air_pollution_effects_on_animals.pdf
    • https://uploads.strikinglycdn.com/files/c942600e-cdc5-4cc0-979b-dd8d2ff1a9e9/madame_bovary_window_quotes.pdf
    • https://uploads.strikinglycdn.com/files/8c391828-b5e8-45fd-b5ec-1a7ee77601b9/heil_hvac_parts_near_me.pdf
    • https://4253c66a-660d-4c83-b31d-f715833d547b.filesusr.com/ugd/d9e9a0_c95be2cbfa2645b8aa942acdf727b4d3.pdf?index=true
    • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_9a46374fa10846fc9d643ca3c012792f.pdf?index=true
    • https://f39f7cea-6337-46de-af4f-699959e6db0a.filesusr.com/ugd/004672_9f1c93f2f9914c18a407a02bdc17b305.pdf?index=true
    • http://wizomatuzepa.rf.gd/kososapuzopaloxirenotav.pdf
    • https://c30b87d5-e38e-4f4c-8f61-e356d9eaafe8.filesusr.com/ugd/347120_e8eed8fa408d49adb958da2f1f41b7bd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011799.bin
7e5fb34978c28943316cb4aa077fe5ffcc8a9f6737efcbae45b7624614ce96d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11799 5572 bytes
font_01_sfnt_off00012a69.bin
96cedaea2146d1a137d3e2c79600fe668aa3b14dde198a1f28c9f78ece9ed829		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A69 6524 bytes
font_02_sfnt_off00013b8b.bin
b549aa758043a19d7ed1c8fdb87749c42c336f619b05640a2458068753b220d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B8B 11088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.