Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ec03b70bc11b22a…

MALICIOUS

PDF

79.1 KB Created: 2021-05-26 00:44:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 744772a272f59ad5ecb131cdc8eb195a SHA-1: 78e6c228629fe9aeef0f90e612cd86e1b14bb5f8 SHA-256: 0ec03b70bc11b22aa33287d24a70f554f32c0c55bb81fa15ad871b5e0d0d09e6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The primary malicious URL identified is vilenefex.ru, which is part of a link farm designed to manipulate search engine results or redirect users to potentially malicious content. While no scripts were explicitly extracted, the nature of the link farm suggests an attempt to distribute or host malicious files, aligning with spearphishing attachment tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=calculus+volume+1-op.pdf
    • https://jexujomasok.weebly.com/uploads/1/3/5/3/135343442/8415711.pdf
    • https://judozolu.weebly.com/uploads/1/3/1/4/131407514/2036967.pdf
    • https://demifezi.weebly.com/uploads/1/3/1/3/131379940/lutabomeritazatuger.pdf
    • https://vimasavugaf.weebly.com/uploads/1/3/4/5/134587410/dedujid.pdf
    • https://nokogijesa.weebly.com/uploads/1/3/1/4/131452879/vudizelofuwato_megikopi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e1aecfb-3039-47d5-b643-6cb3715861a7/55172127192.pdf
    • https://uploads.strikinglycdn.com/files/ac95b9e6-9d7b-42e5-8aab-49d26e88822f/51700465807.pdf
    • https://uploads.strikinglycdn.com/files/d1785701-f311-4633-83bb-77051a05fc03/vinakezurawekew.pdf
    • https://uploads.strikinglycdn.com/files/a3c66235-dfb5-4552-bf47-99434a92062e/retakitesuwokazifikogaf.pdf
    • https://s3.amazonaws.com/dubiditiginowo/singer_prelude_instructions.pdf
    • https://s3.amazonaws.com/zazelujeju/nesed.pdf
    • https://s3.amazonaws.com/nemafu/jipidajadopedirulili.pdf
    • https://s3.amazonaws.com/xijuxosisomuna/cea_lgbr_report_2016-_17.pdf
    • https://s3.amazonaws.com/sowewazulejewi/56108164683.pdf
    • https://s3.amazonaws.com/nelizenejakarug/camila_and_shawn_mtv_performance.pdf
    • https://uploads.strikinglycdn.com/files/6521970e-a6e3-44cf-9c60-0afc3fd3c368/delta_gateway_4-in-1_crib_instructions_manual.pdf
    • https://s3.amazonaws.com/fuvidokibet/marina_beach_la_song.pdf
    • https://uploads.strikinglycdn.com/files/366464d1-1302-4625-a8a6-a7680a474b6b/87622657326.pdf
    • https://uploads.strikinglycdn.com/files/017227ad-17f6-49dc-b45e-848010159ce2/gopro_hero_3_startup_guide.pdf
    • https://s3.amazonaws.com/baxegezivumi/honda_eu_6500_generator_specs.pdf
    • https://s3.amazonaws.com/davawina/amrinder_singh_all_songs.pdf
    • https://s3.amazonaws.com/libusamagowuvo/lol_guide_vayne_adc.pdf
    • https://s3.amazonaws.com/sewamos/mijarigerugewoginororav.pdf
    • https://s3.amazonaws.com/kifutizijebuj/davaxinilaxexegetej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6d9.bin
b50d0c61cc61a0824b30e72140846442904a96b7dbec263dd2b6717de26d011d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D9 5284 bytes
font_01_sfnt_off000108db.bin
45918ec1ebf46f59b1e70e7ece4d31f618587dc07b0d714c0d17ccfe7f4fe0a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108DB 11196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.