Malicious PDF — malware analysis report

Static analysis result for SHA-256 18e0be1639a78d77…

MALICIOUS

PDF

103.9 KB Created: 2021-03-19 08:52:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 286ea5a3eb442e5e2541c5160efb0fff SHA-1: 532634128650afaa599105783d1a5ae800c03567 SHA-256: 18e0be1639a78d770b42a332529c744668d645f153c6473fcb40d1d2fa8fbb1f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a high number of embedded external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM'. The primary malicious URL identified is vilenefex.ru, which is likely used to host malicious content or phishing pages. The ClamAV detection and ML classifier also strongly indicate maliciousness, suggesting this PDF is part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=ark+survival+evolved+apk+obb+highly+compressed
    • http://nashremont.site/jivukutulomakazewazes2as4.pdf
    • http://suzaxikuzexaw.66ghz.com/jumowomavasele.pdf
    • http://snail-case.store/549519906gnayc.pdf
    • http://electriccannoz.club/juzapirojukitobirujeberfkpky.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://uploads.strikinglycdn.com/files/4088a8a9-cf48-4777-b97e-9c0d35169d05/sozovuz.pdf
    • https://2e6726a7-2e78-456a-9fa1-8bc85c3b20a6.filesusr.com/ugd/76e31d_daea579e322844ceb84393b789be678e.pdf?index=true
    • https://fad58b31-c538-4d3f-828d-7998eec853b9.filesusr.com/ugd/7e6083_94687229eca04775b14bf6910ea4fab0.pdf?index=true
    • https://s3.amazonaws.com/ninasivol/how_to_use_igora_vibrance_0-00.pdf
    • https://uploads.strikinglycdn.com/files/d3380805-c0ea-439d-89a3-ebdaaa1eec6c/danby_dehumidifier_user_manual.pdf
    • https://uploads.strikinglycdn.com/files/b5c04475-faf2-402a-958d-3362a8f0816b/how_to_program_chamberlain_clicker_to_genie_garage_door_opener.pdf
    • http://zinezalidoratov.rf.gd/nie_boska_komedia_streszczenie_szczegowe.pdf
    • https://s3.amazonaws.com/jeduzizonox/fda_seafood_haccp_guide.pdf
    • https://s3.amazonaws.com/bisiku/pixifazovibezanijevuxu.pdf
    • http://pigibotokaper.epizy.com/rodonararesixosesifafim.pdf
    • https://54179944-c6a3-49b3-9462-5d1939b6aff2.filesusr.com/ugd/49f5ef_719fef1fc07245c1b387abce8bfa2c85.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8cf3f4da-66c2-402f-a084-3a0155b4de46/howls_moving_castle_book_wikia.pdf
    • http://guxozuzemonixe.epizy.com/malozapab.pdf
    • http://fopagozijudiri.epizy.com/gambar_animasi_bergerak_islami.pdf
    • https://s3.amazonaws.com/sitozi/nivore.pdf
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_42ca194d21ea4ddab8e9883e9fd1c696.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d4d4cf7e-f64e-4b4f-a281-d4bcf7eb6ee9/melhores_cursos_de_ingles_avanado_online_gratis.pdf
    • https://s3.amazonaws.com/fukepez/kenixosokikofisupi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9d4.bin
c771749ac430df80d980b7b547ce8d3855b3538cef4b0649cf9476a0c216e958		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9D4 6676 bytes
font_01_sfnt_off00010aa7.bin
3d9cecd7577736c35dc74a9b87c0fb1382c2e90dfbcde7ebce15aaef75f891c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AA7 5844 bytes
font_02_sfnt_off00011e66.bin
7a0618f59c4e0820462755cd5dcaf90e3b5e97f55ecc1e94679e6dab1891fc34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E66 11196 bytes
font_03_sfnt_off000140e2.bin
0460e4b819836684ee646564f23d3767bfcf5407a742f126e14b557faf704447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140E2 5852 bytes
font_04_sfnt_off00014f99.bin
d00c6dd4991c2010ce628c4734e7acf3497c62318b8e3749e402d5dcf9b740a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F99 12640 bytes
font_05_sfnt_off000178c2.bin
f5abbb234cbdc06cba8d791f4336b5c18fd773ed2db701b53bdcf8d35c283baf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178C2 16880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.