Malicious PDF — malware analysis report

Static analysis result for SHA-256 368b213cbc4fcf29…

MALICIOUS

PDF

81.7 KB Created: 2021-03-19 23:21:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90e2cdbd3ff16c83d68be6f222f5c607 SHA-1: 530188eb3d64c96c0f094a4f04a530a42e5d4c5f SHA-256: 368b213cbc4fcf29e4fc4cddbd981468a2e8e4fae4bf796720c4118371caf798
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing attempt disguised as a vehicle owner's manual. It contains multiple embedded URLs, with at least one, 'https://vilenefex.ru/123?utm_term=jeep+grand+cherokee+2014+diesel+owners+manual', being directly associated with the lure. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest it's designed to redirect users to malicious content, likely a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=jeep+grand+cherokee+2014+diesel+owners+manual
    • http://talakam.space/carlson_fisiologia_de_la_conducta_pdxgv8u.pdf
    • https://kogababofaf.weebly.com/uploads/1/3/0/9/130969162/efb87b902.pdf
    • http://rezotu.xyz/pagerosaxofejabuwibazin6cr7v.pdf
    • https://raxorevowipafe.weebly.com/uploads/1/3/4/7/134765671/5245187.pdf
    • https://kigadipokifexi.weebly.com/uploads/1/3/0/8/130813079/tumozenekijepop-wamidovixivamun.pdf
    • http://siwupezomejen.getenjoyment.net/97760312080.pdf
    • http://zhenskiizhurnal.ru/how_to_reset_a_whirlpool_refrigerator_filter8ntn8.pdf
    • https://fekarerexenafot.weebly.com/uploads/1/3/4/6/134698220/meteboxizazo.pdf
    • http://kpupnov.pro/polygons_and_angles_worksheet_answers_with_workwi541.pdf
    • http://fafijitesulexiz.mygamesonline.org/how_to_use_a_washer_dryer_combo.pdf
    • http://wefilevazobakeb.mypressonline.com/how_much_is_a_battery_for_a_2012_toyota_camry_hybrid.pdf
    • http://lavkavkusa.store/how_to_make_a_powerpoint_file_smaller_mace0o6l.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/tezofuretejom/22253243995.pdf
    • https://uploads.strikinglycdn.com/files/52fe09c1-3f30-4751-a5af-6ae854d41489/how_heavy_is_a_hoveround.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_a57f692903e245aeb447aa1c68acf5bf.pdf?index=true
    • https://s3.amazonaws.com/sinadi/nutritional_information_innocent_smoothie.pdf
    • https://uploads.strikinglycdn.com/files/aa736234-6b97-469d-91d0-52736122bff3/m-audio_keystation_49_manual.pdf
    • https://99f4a897-b223-4833-863a-50ad465ba5d5.filesusr.com/ugd/8e2371_42b322bdd6314a5891ad48091cf11cbe.pdf?index=true
    • https://s3.amazonaws.com/wajufifenoxuj/dnr_form_template_uk.pdf
    • https://uploads.strikinglycdn.com/files/bba6c68b-7158-4bc9-80ca-4f297e17c9c2/to_my_dear_and_loving_husband_literary_analysis.pdf
    • https://uploads.strikinglycdn.com/files/0abd52c2-d032-41a5-9040-305e212c2884/how_to_clean_waterpik_wp-100.pdf
    • http://bosagiriwamokin.onlinewebshop.net/11441553382.pdf
    • https://uploads.strikinglycdn.com/files/c7233372-a290-47b3-81f2-9460d1ae0727/65153102251.pdf
    • https://s3.amazonaws.com/gifojuxaxeva/wrong_turn_2_movie_mp4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f23d.bin
597a801b9d5807a86f60d14c346906ec1fb92284ad62184eea0772392b761205		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF23D 5848 bytes
font_01_sfnt_off000105fd.bin
b98f2881d91df6f2369985fb9ebea7d415231beb6903dceea12f4da32e64c72a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105FD 10800 bytes
font_02_sfnt_off00012ae4.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AE4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.