Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6c63c0917edf2db…

MALICIOUS

PDF

73.8 KB Created: 2021-03-27 22:12:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1695167855ff01ffed4926505f62a6d6 SHA-1: 233d7eb1affc6e3f179561b4c78342b774890238 SHA-256: f6c63c0917edf2dba7115ea9b0d0bce7ad2269025b23e297c5e6e1fc0cfe1209
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. The primary malicious URL identified is https://ponafet.ru/123?utm_term=netacad+chapter+3+exam+answers+2016, which is likely used to redirect the user to a malicious site. No scripts were extracted, but the PDF structure and numerous external links indicate a malicious intent to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=netacad+chapter+3+exam+answers+2016
    • http://binekolojej.iblogger.org/86789417764.pdf
    • https://cdn.sqhk.co/ruwonumatag/evhfheB/ariston_washer_dryer_instruction_manual.pdf
    • https://cdn.sqhk.co/jaxogubajo/pNNhbov/android_bottomsheetdialogfragment_fullscreen.pdf
    • https://cdn.sqhk.co/temegolu/wTpLZgj/rugby_league_19_mod_apk.pdf
    • http://godevibusaxinoj.22web.org/ellen_macarthur_foundation_fashion_report.pdf
    • https://cdn.sqhk.co/kososojog/ujbigeq/codes_update_4_ninja_masters_wiki.pdf
    • http://nofuwev.iblogger.org/xabivozabolukaxonaberusaw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_36051781bb0e4d56a1b4d433f4311886.pdf?index=true
    • https://63aa7d51-6c54-48cc-ac87-b710a0da19c3.filesusr.com/ugd/c8d394_f06c1e8951db4856b7c6341d69487075.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eec45bec-2b69-4587-a6ef-4c9ce02e89ba/maytag_5000_series_washer_f21_code.pdf
    • https://uploads.strikinglycdn.com/files/90a08c1f-08ca-437a-ae2a-4e50897ddbb9/33754934213.pdf
    • https://s3.amazonaws.com/tinezedu/71433743241.pdf
    • https://10bc0ad5-a459-479f-9d6b-ee081e082e34.filesusr.com/ugd/891219_6ca95b3afad841d8bb10e0f5bf2dca9e.pdf?index=true
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_e10d69f8a3504a08a58f16aea09bf947.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4c961279-356e-420d-b4b7-d5f002fa74c6/86404473297.pdf
    • https://uploads.strikinglycdn.com/files/d516945e-ff6c-420f-b6be-b908dee56f50/50182374095.pdf
    • https://uploads.strikinglycdn.com/files/1b3b4927-f5e2-49b4-a85c-d38d66dd9c20/what_is_the_star_alignment_tonight.pdf
    • http://gapogup.epizy.com/jasabenobamabiwaf.pdf
    • https://s3.amazonaws.com/wibedubosateg/subididotikaregobivuderu.pdf
    • https://uploads.strikinglycdn.com/files/202bab43-6841-4d50-91a7-6f3fc192b21a/biblical_books_in_chronological_order.pdf
    • https://c31d65df-273c-4bcc-acfb-7b03b0724b99.filesusr.com/ugd/e7e4a0_1c5b343d0a3448afad71953b953bffb3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de36.bin
908f5ed4531db5dbe6e206a920d8cc22cddf52eaa01949efcae17725d39d0fb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE36 6052 bytes
font_01_sfnt_off0000f2c1.bin
9cdeb1fda1e9c5049f346265c14d790d8bcc68a8eebd2b3eadf4a33f75650fb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2C1 11436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.