Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b15ce1b6587066b…

MALICIOUS

PDF

78.9 KB Created: 2021-05-29 13:19:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 322d36bb683071fb9bb5bc5d96e79e69 SHA-1: bf9f883f533a5a92961e9fdd322c3697dad24893 SHA-256: 4b15ce1b6587066b5d9ea27bfa88d783f48c9ebb1e8f0b98ba7e1d87e4d90ab2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are to PDF files with numeric slugs, indicating a potential link farm for SEO manipulation or phishing. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links, including one to 'vilenefex.ru', point towards a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=oriflame+catalogue+september+2019+pdf
    • https://puwibovur.weebly.com/uploads/1/3/4/6/134639487/5810917.pdf
    • https://kekisadubivef.weebly.com/uploads/1/3/3/9/133986731/114c838df4a.pdf
    • https://cdn-cms.f-static.net/uploads/4381547/normal_605876c8e353c.pdf
    • https://tixiganotirof.weebly.com/uploads/1/3/1/1/131163533/9499264.pdf
    • https://cdn-cms.f-static.net/uploads/4369330/normal_6036d130049bc.pdf
    • https://tetavezodumop.weebly.com/uploads/1/3/4/6/134645623/7386041.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b8559aa4-c99f-4d89-b9c6-60eb363b2a2c/lejarake.pdf
    • https://uploads.strikinglycdn.com/files/7d4d737f-33bb-421a-92ce-049aa41b5e35/how_to_revive_a_dead_lead_acid_battery.pdf
    • https://uploads.strikinglycdn.com/files/9d071749-db18-4925-ac61-768ba3d230f6/41082455620.pdf
    • https://uploads.strikinglycdn.com/files/f1adcce8-ded3-416c-8990-68ff079f02c4/how_to_set_g_shock_casio_watch_time.pdf
    • https://uploads.strikinglycdn.com/files/995a0358-8447-4c28-9f63-9002183ab227/mesoxavuxeb.pdf
    • https://uploads.strikinglycdn.com/files/d8d0e6a6-41db-494e-afe8-99a1acf7ce68/edexcel_igcse_chemistry_pearson_student_book_answers.pdf
    • https://uploads.strikinglycdn.com/files/08db120e-1a16-4fbf-b51c-9404939acd70/how_to_program_att_uverse_remote_to_panasonic_tv.pdf
    • https://uploads.strikinglycdn.com/files/55182ebd-704d-483a-bd74-0b1a47b76c20/a_series_of_unfortunate_events_book_3_word_count.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e31f.bin
315d9c3432733d343cf5dd361c3718cdf3b2edad622ca82725dc3edb92faf966		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE31F 6124 bytes
font_01_sfnt_off0000f7d6.bin
83b962c9724df07515e466640e7fea3d649a910669172684b2fcd70b30e49d5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7D6 9000 bytes
font_02_sfnt_off000109f4.bin
e59f52dd0dcb7821171a2b44b50f17f1dd19d5d0b9274bb0d3ec3dff86539202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109F4 10488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.