Malicious PDF — malware analysis report

Static analysis result for SHA-256 014020be5c14f518…

MALICIOUS

PDF

156.8 KB Created: 2021-05-08 09:08:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7083308f39d3c09dd815157174bd556 SHA-1: 76cf8706e84d884de4b06dc1f22c844feb2d3ffe SHA-256: 014020be5c14f51894a4e89b6ab59519e537601be9f0dcff22964559b8c0e700
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by ClamAV as Pdf.Phishing.Trojan and ML classifiers indicated maliciousness. It contains numerous external URIs, with one pointing to a suspicious domain 'vilenefex.ru' that is likely used for phishing or malware distribution. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' further suggests a malicious intent to host many links on disposable domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=quran+arabic+learning+urdu
    • http://gefosezidubajoz.scienceontheweb.net/xekurawirotax.pdf
    • https://joriwonakogilul.weebly.com/uploads/1/3/5/3/135305945/1858694.pdf
    • https://situzofunuk.weebly.com/uploads/1/3/5/3/135305293/52dcaf5949.pdf
    • https://jadotonevuwupu.weebly.com/uploads/1/3/1/4/131407011/dokiviwoxukevizoba.pdf
    • https://mewurotimopu.weebly.com/uploads/1/3/1/3/131381658/b2abd6320c138d.pdf
    • https://dozogifelezu.weebly.com/uploads/1/3/4/3/134313369/573756a66f427.pdf
    • https://kixovomez.weebly.com/uploads/1/3/4/8/134868331/badibogujibib.pdf
    • https://vovasodakujex.weebly.com/uploads/1/3/0/8/130874601/rarodu-fumidineb-nesonelu-gazenurinasile.pdf
    • http://wetiludivarag.scienceontheweb.net/lepinaparitij.pdf
    • http://zonizubiro.getenjoyment.net/does_osha_require_employers_to_pay_for_hard_hats.pdf
    • https://webimilosajepi.weebly.com/uploads/1/3/4/8/134859137/313849427db1617.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://7b9449e5-51e9-4a7e-81f5-8587c42320f9.filesusr.com/ugd/571bad_3d930505e4444a9ebc546975adf12bd4.pdf?index=true
    • https://e082cb0d-9c22-4a21-acb7-e2c6127a51d3.filesusr.com/ugd/ff0c06_bbcb3b5a3234458da5024b67992f1db1.pdf?index=true
    • http://badamowafe.onlinewebshop.net/marketing_plan_report.pdf
    • https://s3.amazonaws.com/xamapebonijos/innova_3040_rs_v1.pdf
    • https://s3.amazonaws.com/kofabube/10649492298.pdf
    • https://30fe55a9-f0c7-4aec-9bf5-b9d2225d99a8.filesusr.com/ugd/c4a51e_76b2bd9eccb04ed88edf50af72b7bbfc.pdf?index=true
    • https://832c8a8d-f05d-46e3-9166-97d9de82ace4.filesusr.com/ugd/432509_533ce87d270b424396f7c3f8c25fe963.pdf?index=true
    • https://s3.amazonaws.com/tumasun/xevuruviwosomufip.pdf
    • https://s3.amazonaws.com/zesixefe/37936886867.pdf
    • https://2c549fd3-bbcc-4e43-aea5-84609313cfd4.filesusr.com/ugd/c162b3_b91d2fdbae3547e6ba6b52af45e28039.pdf?index=true
    • https://7133fc40-0b9c-4701-b953-e7fafc934b44.filesusr.com/ugd/70a38d_1d0d4a1bd66740cbbe88fbb5dd6404d0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000218d6.bin
d92695c67d9407af028e49c271fc12081d1367ad2a3823eb478ab0ae8fe8dcec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x218D6 33060 bytes
font_00_sfnt_off0001cece.bin
f09bb8a5b3d52a1213b2e7a620ecb432bc97ed13844b49799c0a14e871787997		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CECE 4600 bytes
font_01_sfnt_off0001dec4.bin
b91c3fc067fd45f75414634bcfc221be727aeb33aac06e2eb973dbd53b66f887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DEC4 5128 bytes
font_02_sfnt_off0001f03a.bin
a9f9819ebb4092f510c90f2e7d216d143ad2aabde8d17886fe05eda8f57d0314		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F03A 12232 bytes
font_04_sfnt_off000251d0.bin
04da3957dde17f96ff16abc41878c7e488af80b75851a4661eb98607a9bc4303		 pdf-font-stream PDF embedded font (sfnt) at offset 0x251D0 4236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.