Malicious PDF — malware analysis report

Static analysis result for SHA-256 161ffdb127ffb4b9…

MALICIOUS

PDF

77.1 KB Created: 2021-05-16 20:08:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c205abc9dcf8a7ca6afdfef410c56cd6 SHA-1: 28fff2962fd94feec1f640c32516ef7b278ec3e8 SHA-256: 161ffdb127ffb4b9a4374bef6d9cb1c5a53fa076101738c981cbaed9c5450590
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics and a machine learning classifier as malicious. It contains an embedded URI pointing to a suspicious domain, vilenefex.ru, which is likely used to host phishing content or distribute malware. The document body contains garbled text, suggesting it may be obfuscated or contain non-readable elements intended to exploit PDF vulnerabilities or deliver malicious content via embedded scripts, though no specific scripts were extracted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=studio+3+wireless+headphones+%25E2%2580%2593+beats+skyline+collection+crystal+blue
    • http://zukilobuzoroko.66ghz.com/agenda_2019_template.pdf
    • https://static.s123-cdn-static.com/uploads/4459623/normal_5ff28c768bef3.pdf
    • http://digitalmedialit.com/53631917365wucl9.pdf
    • http://xebepadizupen.22web.org/gupasevokoduzomaku.pdf
    • https://cdn.sqhk.co/remozemot/iuamhe9/space_invaders_pixel_art_template.pdf
    • https://static.s123-cdn-static.com/uploads/4428069/normal_5fe2c2ca41cc9.pdf
    • http://bigowet.xyz/how_to_reset_service_engine_soon_light_on_bmw_x3jf0ns.pdf
    • https://tumirovuwepilu.weebly.com/uploads/1/3/4/6/134603677/7629269.pdf
    • https://cdn-cms.f-static.net/uploads/4446507/normal_6068399c15ad6.pdf
    • https://cdn.sqhk.co/noxisoture/0ejhiZm/wallpaper_among_us_gratis_pc_ultima_version.pdf
    • https://cdn.sqhk.co/xomakonezema/heHndwZ/chicken_goat_cheese_asparagus.pdf
    • https://static.s123-cdn-static.com/uploads/4376380/normal_5ff252c9d179f.pdf
    • https://cdn-cms.f-static.net/uploads/4496810/normal_601880754c769.pdf
    • https://pesiwuveso.weebly.com/uploads/1/3/5/3/135392822/kalop.pdf
    • http://azorocheat6.xyz/jidos1nckb.pdf
    • http://my-favshopf.online/under_the_dome_cast_lyle8evr2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wazuvit.rf.gd/sweet_couple_kiss_wallpaper.pdf
    • https://s3.amazonaws.com/dugibabafod/dovusaradi.pdf
    • http://nugizutipakiv.rf.gd/sinusoidal_steady_state_analysis.pdf
    • https://s3.amazonaws.com/fizufapu/ninudigimikajolufimekipun.pdf
    • https://s3.amazonaws.com/jajuzasalikirut/hornell_evening_tribune_police_report.pdf
    • https://s3.amazonaws.com/vonuxagupeduze/backing_up_android_phone_contacts_to_gmail.pdf
    • http://fukesok.rf.gd/brother_label_maker_p-_touch_1290_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8fe.bin
56ef3cd95c0d91513b2c65a6bf35ece697d051829599e8529631fb7bb9c03620		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8FE 5860 bytes
font_01_sfnt_off0000fcfc.bin
4ca95ea5f045eb656c535a45268a2ca1ab79a35651a4a590859b711b713f6969		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCFC 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.