Malicious PDF — malware analysis report

Static analysis result for SHA-256 585a39c6edb339cd…

MALICIOUS

PDF

147.0 KB Created: 2021-04-04 10:37:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d76ecfb4794b6b38658083763c7b610d SHA-1: 7ae34065117b2eac0c82a2cb52e8f31f4b4ef335 SHA-256: 585a39c6edb339cd590e25f74d226eac41b02d9e41a684f128d2a94038844d57
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by a ClamAV detection and an ML classifier. It contains an embedded URI pointing to 'https://vilenefex.ru/award?keyword=alter+ego+b2+pdf+corrige', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to an award or correction, aligning with common social engineering tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=alter+ego+b2+pdf+corrige
    • https://cdn-cms.f-static.net/uploads/4481161/normal_601c6652a67fd.pdf
    • http://penexej.mywebcommunity.org/water_pollution_2020.pdf
    • http://tanolugulutewu.medianewsonline.com/sarik.pdf
    • https://cdn-cms.f-static.net/uploads/4481830/normal_606289f69f049.pdf
    • http://juraxoxodas.scienceontheweb.net/gram_panchayat_election_rules_maharashtra_in_marathi_2020.pdf
    • http://sonifakeki.22web.org/numabebepasab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://47ab6ce1-aee6-4086-a8e7-31fe393d2411.filesusr.com/ugd/afbef4_1aeef9f6e84c447fa3efb034f385d8d3.pdf?index=true
    • https://dacf5b84-f80e-4bd8-bb7f-22aad20a1cd8.filesusr.com/ugd/285be4_9ad81ca39fb8472fa4aaa3db6ac76996.pdf?index=true
    • https://368af19b-b9be-4417-8ea7-dfc4611f9fec.filesusr.com/ugd/abd4c0_19d1f222953846a6ba05bf6a8e3b2944.pdf?index=true
    • http://karadefega.epizy.com/ceo_bihar_voter_list_2020_download.pdf
    • http://bupojawepuda.epizy.com/budget_2020_income_tax_changes.pdf
    • https://s3.amazonaws.com/fekife/51362384632.pdf
    • http://bolopanezodubun.rf.gd/commedia_dell_arte_performances_were_based_on.pdf
    • https://f18b8dc1-3ce9-44bd-8712-01435d039869.filesusr.com/ugd/b97cba_e84fa9179aaf48e7b1c8d28d0bdb077f.pdf?index=true
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_9332c2a1318e403eb13e7c7c5675d647.pdf?index=true
    • https://ffcd7f67-9b43-45c2-8e44-b15cca9583b8.filesusr.com/ugd/48bf55_9411edb491da43f1b2a479eae99ed480.pdf?index=true
    • https://80172413-d145-4b71-b7cf-4a007d76ad29.filesusr.com/ugd/cacfd7_9b5ca6ae78ef44e9a981cc661b07f9e9.pdf?index=true
    • https://f0f855fd-29d2-4bf6-9fdd-af1de8d1f91d.filesusr.com/ugd/184831_debd8c0d845141ecb5bee24334afdc2a.pdf?index=true
    • http://gudugapapilile.atwebpages.com/sunasamuruwozafokimesa.pdf
    • https://s3.amazonaws.com/fomaralunex/wovitisusasaxa.pdf
    • https://s3.amazonaws.com/jeworurowam/jokibubukiwinufe.pdf
    • https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_12a0dc9794534310bee563ff06182743.pdf?index=true
    • http://puxalalofevan.rf.gd/autismo_causas.pdf
    • https://s3.amazonaws.com/zetituri/mizonolotojikumunegugaj.pdf
    • https://8ee4d174-735f-4cd7-9396-c3a65dbcc337.filesusr.com/ugd/5ac313_dbd9e5419658499da8e8015b7a6c00c6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e7ca.bin
3b6e6c33ecf167fe43ea37b1d67e9a29c6804c09a5f8b3b7c9a018de13a49b44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E7CA 5196 bytes
font_01_sfnt_off0001f991.bin
47711676f784171d07bcada69e515d7092164242139221d4c95df3d8e4d3b02a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F991 14512 bytes
font_02_sfnt_off000226a1.bin
bd4845d97cc587c8bd9f245b8357091d7712920bce10650059ddfa15623f53ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x226A1 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.