Malicious PDF — malware analysis report

Static analysis result for SHA-256 6139e2a073150c3b…

MALICIOUS

PDF

80.0 KB Created: 2021-04-08 04:52:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 954a01385ceea86b246e22ab8211946b SHA-1: d2588ee00525fc666c0e9a52813111915bb2e2d1 SHA-256: 6139e2a073150c3b43384c254986b59a37103ab064026b04230795dcfc0f9053
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. It contains an embedded URI pointing to a suspicious domain, vilenefex.ru, which is likely part of a phishing or malware distribution scheme. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of external URLs suggests an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=bissell+poweredge+pet
    • http://skidki-day.site/brief_principles_of_macroeconomics_9th_edition_download54qyd.pdf
    • http://ig-mediateam.net/riello_burner_motorh1ff4.pdf
    • http://lnstagram-help-businesss.com/865208953488u7nz.pdf
    • http://siluvuxifebul.medianewsonline.com/d_d_5e_pregenerated_character_sheet_download.pdf
    • http://virnet77.ru/cengel_heat_transferui3jj.pdf
    • http://kayikciakademi.com/100_gramos_de_azucar_en_taza_medidoraqwusm.pdf
    • http://jiwimejikigigu.mywebcommunity.org/xadedilonufolu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/57137c67-29c5-4665-81b4-75be299d17b5/rigizapisogodotokuz.pdf
    • https://uploads.strikinglycdn.com/files/8b624416-df56-47c4-b76c-69b6f72ddfdc/walmart_hours_of_operation_black_friday.pdf
    • https://uploads.strikinglycdn.com/files/d860534f-3981-4437-82b3-bdfe2b1babb8/pit_bike_performance_engine.pdf
    • https://uploads.strikinglycdn.com/files/2f4b68fe-8c65-4986-97b3-fab105b23a31/tabela_de_preo_de_carros_semi_novos_ford.pdf
    • https://uploads.strikinglycdn.com/files/2cb134ed-966f-42d5-a90d-4ef5d75fb741/how_to_study_hanafi_fiqh.pdf
    • https://uploads.strikinglycdn.com/files/39e80adf-2796-4034-bef6-0b884655f786/smithsonian_american_history_museum_shop.pdf
    • https://s3.amazonaws.com/pasutiz/mawesi.pdf
    • https://s3.amazonaws.com/jikopot/emi_calculator_app_free.pdf
    • https://s3.amazonaws.com/zunaduxa/pozelu.pdf
    • https://s3.amazonaws.com/jebokizez/injury_report_colts_news.pdf
    • https://uploads.strikinglycdn.com/files/549b48e5-d136-4865-8104-62670e5b2173/coachmen_rv_for_sale_in_florida.pdf
    • https://uploads.strikinglycdn.com/files/91d73ed9-a93e-411c-b11a-38f60f324b09/jopubamikularowuxeji.pdf
    • https://uploads.strikinglycdn.com/files/16d4d5c6-3399-4b5f-aa0a-77c12e307d20/how_to_make_simple_syrup_for_lemonade.pdf
    • https://uploads.strikinglycdn.com/files/1305b90d-294a-44ee-929f-557323592c78/regokodadulesabofoj.pdf
    • https://uploads.strikinglycdn.com/files/b278c043-848c-478c-b13a-8bcacd213e62/vatavulebewamivebiva.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f780.bin
fb8e7c70fad07ea9fd0155d3c5f0fb9abd691ce146b8e81d3e834af0d8bd3d84		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF780 5056 bytes
font_01_sfnt_off000108d9.bin
56164805fdbbaad0471d007ce400e8e2ae4f17726098eae30fb99ba4937cdcad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108D9 12312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.