Malicious PDF — malware analysis report

Static analysis result for SHA-256 79f6a2705c869a9a…

MALICIOUS

PDF

76.3 KB Created: 2021-03-24 08:25:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4062c00a09feec20947271d0b53c557b SHA-1: 0e8d34529ff4ea80ffafd12bf7dc34fdaf5eb1f7 SHA-256: 79f6a2705c869a9ad663fbfa1b9fc1adbfc24485e0ae937041a248c0c1045ccd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious domain, vilenefex.ru, which is likely used to host a phishing lure. The document body, though heavily obfuscated, suggests a pretext related to training materials, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8534

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=bethel+sozo+training+manual+pdf
    • https://cdn-cms.f-static.net/uploads/4497688/normal_6024210931576.pdf
    • https://cdn.sqhk.co/netesatova/QEjgryl/79626223118.pdf
    • http://farilanij.iblogger.org/67857284360.pdf
    • https://static.s123-cdn-static.com/uploads/4470828/normal_5fefe43d34e95.pdf
    • https://cdn.sqhk.co/modajili/bBjiidV/red_robin_coupons.pdf
    • https://cdn.sqhk.co/foxoxaze/4cgf0ja/crack_windows_7.pdf
    • http://suwefazimim.medianewsonline.com/ramisapokutedafofunesa.pdf
    • http://samafutanub.mypressonline.com/scores_delivery_menu.pdf
    • https://cdn.sqhk.co/vekuperik/eJWjhb6/41757779247.pdf
    • https://cdn.sqhk.co/xuluriwu/wZHjf1t/archers_battle_weapon_crossword.pdf
    • https://cdn.sqhk.co/gopilufifeda/ftVrhj0/rebuilding_paradise_where_to_stream.pdf
    • https://cdn.sqhk.co/dafisuwikib/82hergZ/3627161880.pdf
    • https://cdn.sqhk.co/wofazexej/fNjjp5z/21225843879.pdf
    • https://cdn-cms.f-static.net/uploads/4452837/normal_604f76a00a866.pdf
    • http://zaxevef.getenjoyment.net/50224375645.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/woberiz/banipikikekanajokopegemev.pdf
    • https://s3.amazonaws.com/juduk/livro_diagnostico_empresarial.pdf
    • https://s3.amazonaws.com/satudifin/razokatamegav.pdf
    • http://zofutigo.epizy.com/nene_ambani_audio_songs_free.pdf
    • https://s3.amazonaws.com/gazijewevan/black_ice_slang_term.pdf
    • https://s3.amazonaws.com/bezutu/bushnell_78-_5500_telescope_manual.pdf
    • http://lojifasipok.rf.gd/biology_notes_class_11_download.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbdf.bin
6d0d2bda0b71ee3e1d9724c1aa5403d3f3e310365643317512f230d4b7a2f9a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBDF 5552 bytes
font_01_sfnt_off00010ea2.bin
4fa83897205227cccb513de27a53b69c45aeeb3d6f79e82dad479a5fbff78521		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EA2 11392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.