Malicious PDF — malware analysis report

Static analysis result for SHA-256 799a7a0f661a19aa…

MALICIOUS

PDF

81.4 KB Created: 2021-03-07 09:08:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b401095a0dd77c4efa65d0d5f3376388 SHA-1: b5f978cfaed045d3c2ef8818e9f6fa92e7204ec4 SHA-256: 799a7a0f661a19aa6bf5163084fd8acce3c98a54674a2b21b1f7b68f2b3492cb
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. The presence of numerous external links, including one pointing to 'vilenefex.ru', suggests a phishing or malware distribution attempt. The heuristic 'SE_DOWNLOAD_BUTTON' indicates the document likely contains a deceptive call-to-action to encourage user interaction with these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=babies+r+us+medela+breast+pump
    • https://static.s123-cdn-static.com/uploads/4446400/normal_5ff7b882a75d5.pdf
    • https://fenogelojana.weebly.com/uploads/1/3/4/9/134904444/9055245.pdf
    • https://cdn.sqhk.co/burajugi/jfidZja/cat_runny_eye_and_sneezing.pdf
    • https://static.s123-cdn-static.com/uploads/4417033/normal_5fcc4c6077374.pdf
    • https://cdn.sqhk.co/kekelivig/ahcjaMD/46276131308.pdf
    • https://zuvigopujipo.weebly.com/uploads/1/3/0/9/130969218/6161753.pdf
    • https://cdn.sqhk.co/nosuterib/ivgeUgf/parenting_tips_for_down_syndrome.pdf
    • http://xovebud.mygamesonline.org/best_way_to_write_travel_articles.pdf
    • https://kajugomurabamuj.weebly.com/uploads/1/3/0/8/130814292/febeninaterop_muxuzimura_xowakura_misalawe.pdf
    • https://cdn.sqhk.co/sategexarom/haBijpD/groupme_support_free_iphone_11_giveaway.pdf
    • https://puwulafu.weebly.com/uploads/1/3/5/3/135329465/pamogulujum.pdf
    • https://cdn.sqhk.co/nawinirezuj/8Ihjghk/detufaduwirenazuxukobozul.pdf
    • https://static.s123-cdn-static.com/uploads/4392463/normal_60036d6627071.pdf
    • http://jitokinut.iblogger.org/dewexadewibiso.pdf
    • http://dofujifeluradep.medianewsonline.com/memupokiku.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tufebogepamik.rf.gd/excel_template_personal_budget_expenses.pdf
    • https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_d2e856c0042b48c692a1e3152b792289.pdf?index=true
    • http://naxefugoxodikow.atwebpages.com/wikutedadubuwaruvifiga.pdf
    • https://0e67983c-e844-40c9-b604-97311ec94efe.filesusr.com/ugd/6e13d9_c41d80e6746443c8b66b0c2132c0619c.pdf?index=true
    • http://gojaxuga.epizy.com/angle_izer_template.pdf
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_f3603c8f3a594c4caff02bf3628003fc.pdf?index=true
    • http://gevejonitu.onlinewebshop.net/is_murgee_auto_clicker_a_virus.pdf
    • https://8eb0ff2f-1b5f-41fb-a82b-bf279dc7f43e.filesusr.com/ugd/868f76_a3eaab404aed4591be8e6222a8a6c2b6.pdf?index=true
    • http://zipoxibel.epizy.com/acc_aha_guidelines_2017.pdf
    • https://7e073981-ad1c-4081-8dc0-76946ba36063.filesusr.com/ugd/c4f63d_e807b7d4f0f9406bb2172f4ccd2a182b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010280.bin
3539f8db5af4ab6132a39233342c35d95720b69c1c7bea779dcecd48a415040a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10280 5296 bytes
font_01_sfnt_off0001145d.bin
cf4e0105c135e037665b475219289ef7dce5ed04e16aa8b3f3ea483a4b5eb2bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1145D 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.