Malicious PDF — malware analysis report

Static analysis result for SHA-256 3caff9dd57859c16…

MALICIOUS

PDF

79.0 KB Created: 2021-03-09 21:58:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93a5e5d3d45e4781ceaf2ec787738d18 SHA-1: 7de564a394bc68c875131ccb496f1be9b7c0070d SHA-256: 3caff9dd57859c160937d044d1a351c5288e281f5bef1d550d285d2702f4305c
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. The presence of external links, particularly the one to 'vilenefex.ru', suggests an attempt to redirect the user to a malicious site or download a payload. The 'SE_DOWNLOAD_BUTTON' and 'SE_CALLBACK_LURE' heuristics further support a phishing or scamming attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=lol+pbe++eune
    • https://vepemetamat.weebly.com/uploads/1/3/4/3/134354227/vizisigepifenovo.pdf
    • https://tifowufiwadoxi.weebly.com/uploads/1/3/4/0/134098290/9684056.pdf
    • https://mafobosapufi.weebly.com/uploads/1/3/4/5/134505980/166885.pdf
    • https://static.s123-cdn-static.com/uploads/4407804/normal_5fddf9a73c33b.pdf
    • https://gejizataki.weebly.com/uploads/1/3/3/9/133997606/6111469.pdf
    • https://loguxofe.weebly.com/uploads/1/3/0/7/130775118/7bbb022.pdf
    • https://cdn.sqhk.co/sevigexew/Uhiiijh/lovelace_medical_center_medical_records.pdf
    • https://cdn-cms.f-static.net/uploads/4389361/normal_601dd3faadad3.pdf
    • https://cdn.sqhk.co/sifalavuxozo/hhzgdia/prime_video_apple_tv_app.pdf
    • https://static.s123-cdn-static.com/uploads/4483337/normal_5ffc56b93bdf1.pdf
    • https://cdn-cms.f-static.net/uploads/4454543/normal_601a40533a625.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://203aa715-7352-46b1-b16b-5d0aeeaa27a2.filesusr.com/ugd/0582e0_111bd740823e44cba38bf0ae0bd5f5a2.pdf?index=true
    • https://s3.amazonaws.com/tosevud/mugen_rao_songs.pdf
    • https://s3.amazonaws.com/viboxikuz/nintendo_pokemon_error_code_51099.pdf
    • https://s3.amazonaws.com/vabedafozo/the_ambushers_1967.pdf
    • https://s3.amazonaws.com/jagux/calle_13_latinoamerica_worksheet.pdf
    • https://s3.amazonaws.com/dezajok/94614938468.pdf
    • https://s3.amazonaws.com/zuguvoxoki/73962696641.pdf
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_f936c87f89d047d4a4554508bfe1b42d.pdf?index=true
    • https://s3.amazonaws.com/kezemiradigu/xiripegowexite.pdf
    • https://571cbd0a-ba82-408d-be6d-2df53a8fcfe5.filesusr.com/ugd/02af14_f82b85df2ffe4548af814a2565ab5970.pdf?index=true
    • https://314f4944-3dd9-45af-b5ee-fc7f46c963e4.filesusr.com/ugd/73cb9e_8e304dd8abdc4e3e947c28a09828e018.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee25.bin
eec2311198495a4bc353016469730966835d49679daeed18a98faa9ab15954d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE25 2828 bytes
font_01_sfnt_off0000f82f.bin
71979ded7817b7738cf71d63e8a335606cec3e3f2fe18a839b98b6e75356b2c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF82F 4408 bytes
font_02_sfnt_off0001073d.bin
8857ed358ff9fde8b7473cb344e199d4005593b20e413f54602a35ed9752050d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1073D 11200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.