Malicious PDF — malware analysis report

Static analysis result for SHA-256 09d3c4002e844374…

MALICIOUS

PDF

76.4 KB Created: 2021-04-17 00:22:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8743d72f7daee8e7c60fbc9d55813c62 SHA-1: e174c53da0e8a49ba74a05c538b94b6a4c61eac7 SHA-256: 09d3c4002e84437428de18666a3bd1a74b8216668824dfa113612dbc038a37a3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. It contains numerous external links, with a primary suspicious URL pointing to 'vilenefex.ru'. Although no scripts were explicitly extracted, the PDF structure and the presence of external links suggest an attempt to redirect the user to a malicious site, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+set+alarm+in+skmei+sports+watch
    • https://cdn-cms.f-static.net/uploads/4469135/normal_601bab7aabdbb.pdf
    • https://cdn-cms.f-static.net/uploads/4488804/normal_605d74c1877c9.pdf
    • https://cdn-cms.f-static.net/uploads/4479933/normal_600cc892dd57e.pdf
    • https://cdn-cms.f-static.net/uploads/4485014/normal_604f4b6c44f13.pdf
    • https://static.s123-cdn-static.com/uploads/4386089/normal_5ff96be8e5855.pdf
    • https://cdn-cms.f-static.net/uploads/4454575/normal_600bcc6420ab7.pdf
    • https://static.s123-cdn-static.com/uploads/4385415/normal_5ff0b0b88e995.pdf
    • https://cdn-cms.f-static.net/uploads/4368740/normal_604a4f5c7b668.pdf
    • https://cdn-cms.f-static.net/uploads/4374686/normal_606ad5434176f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_81c9bd8434714e428a9fe98b04d09d80.pdf?index=true
    • https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_56de1cf4d04c4aeb9baba6760a2fb2d2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1536397f-21bc-4f3d-8eb3-97af1c902e7a/mobizen_screen_recorder_internal_audio_apk.pdf
    • https://uploads.strikinglycdn.com/files/6104a771-c727-44d9-a049-600ddfa380b1/reflexive_verb_examples_in_spanish.pdf
    • https://uploads.strikinglycdn.com/files/409d9270-6921-4135-933a-5c958960762d/76143263250.pdf
    • https://uploads.strikinglycdn.com/files/3732cc72-0c9e-496f-a964-fa775847a780/54713369127.pdf
    • https://uploads.strikinglycdn.com/files/7f32d191-3d06-456a-8dc4-b548701b578c/pemamega.pdf
    • https://2c8134a4-d865-4da1-8961-c755d7242105.filesusr.com/ugd/6dcf04_99c7b03ff8f84838bc52be6405a08815.pdf?index=true
    • https://uploads.strikinglycdn.com/files/724daa30-4a25-431b-baff-93f83f405d97/line_6_firehawk_fx_pedal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e412.bin
7650a75f9135f6e5a3399a8a1eaaa166119d634bb8e2d550a14c1b37e56e271e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE412 5292 bytes
font_01_sfnt_off0000f5eb.bin
ac563f1180543c9f4d9b102108afa0e0941b2fd4f199aa08af3cddd05ca1801a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5EB 2048 bytes
font_02_sfnt_off0000fec7.bin
83580e461b0a3820e1095aa794e08c84997daaaa9c3b84dd34805bf566619cb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEC7 11020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.