Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef34e2cfd16a779d…

MALICIOUS

PDF

70.5 KB Created: 2021-03-24 07:48:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61c3f526a52bc362488bbb12ddf3e895 SHA-1: ee0bcebf2c67c82b1e3174be6b13353a3d092ad5 SHA-256: ef34e2cfd16a779d6f582da316d76817dbba77c168764d5a0111508e317b686f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent link pointing to 'ponafet.ru'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm or phishing operation. ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. Although no scripts were explicitly extracted, the presence of external links and the phishing classification suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=4-+2+practice+congruent+triangles+answer+key
    • https://static.s123-cdn-static.com/uploads/4472763/normal_5ffda767d7368.pdf
    • https://cdn-cms.f-static.net/uploads/4495251/normal_6029799e5f21a.pdf
    • https://fovevirikat.weebly.com/uploads/1/3/0/7/130775443/kamoxiwaputoj_foripofuxuj_witegi_xamorun.pdf
    • http://hookup666.site/jigotaxumipujm3fz0.pdf
    • https://petovowatudero.weebly.com/uploads/1/3/1/6/131606592/sibadofos.pdf
    • http://golosa-spasibo.ru/twilight_breaking_dawn_part_1_google_driveuo2vw.pdf
    • http://cocobeautybar.ca/microsoft_project_2019_download_link0zx2f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5e04165b-6ab1-49a6-9937-45006fc2fbeb.filesusr.com/ugd/d19879_83df9615b8634580978da1fea1cfcf92.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0c5547c6-0054-4fd2-83fe-12bb97417438/primos_hunting_truth_cam_35_ultra.pdf
    • https://uploads.strikinglycdn.com/files/0475d99d-33b6-4c6b-81e6-bbf31d6f8fc8/what_is_forbidden_knowledge_in_the_bible.pdf
    • https://cfff6b0e-fc0f-4d9c-a983-c0e60c8b2bfd.filesusr.com/ugd/c637e3_0330662edbec46b6aa297ed92c7c61d5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4fec629b-aec2-4f14-a2ae-7746688d386d/zaremuxinuredemuxo.pdf
    • https://uploads.strikinglycdn.com/files/b4702cfd-f6ec-4bea-a4ee-94eab8bab63c/68198406789.pdf
    • https://9e084d23-5bbf-42ad-98e9-fa9200f8584e.filesusr.com/ugd/4f663b_aa60ccc04371482a9ce88b81423bcf23.pdf?index=true
    • https://uploads.strikinglycdn.com/files/92860538-12e7-4307-8f94-a7ab5253f237/acer_chromebook_15_cb3-532_charger.pdf
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_6cd3954b5e9d4596b26ed6373e01b481.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f2ae122a-a3a9-47f1-a385-998e5d66b436/tubogopifuvavokapaziludo.pdf
    • https://uploads.strikinglycdn.com/files/d67a9224-073c-4d61-adc2-01262ef6979f/royal_caribbean_deluxe_beverage_package_discount.pdf
    • https://uploads.strikinglycdn.com/files/57e33b9b-3f69-4d5a-b403-859b784a8edb/83930534243.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d887.bin
f49c674f93949a8bf10c95731204253c9d8f4eaa71611b572deffb87104ee305		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD887 5516 bytes
font_01_sfnt_off0000eb88.bin
2a56d8460c141e0f448f116a27b1b3772c0e5f320117e0e333073a322db7280f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB88 9732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.