Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a9f3a212562c75c…

MALICIOUS

PDF

82.2 KB Created: 2021-03-13 18:26:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e734c8337ab74070ce3bd051a9818be6 SHA-1: e6ee6d47ada709acc21c919cc23fb77e2f90a331 SHA-256: 7a9f3a212562c75c18a011bc786cd2cf914ca8d5544765b62ec694d80b00d779
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an external URI pointing to a suspicious domain, vilenefex.ru. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates that the document likely instructs the user to open a password-protected archive, a common tactic to bypass security filters. The ML classifier also flagged this PDF with high confidence. While no scripts were directly extracted, the presence of external URLs and the password archive lure suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=happy+friendship+day+photos+free
    • http://gadivawiw.sportsontheweb.net/tosijokojitex.pdf
    • https://cdn.sqhk.co/lerapuraroke/Jiihaij/the_room_movie_netflix_true_story.pdf
    • https://cdn.sqhk.co/jamolipa/diasjgf/videoder_hotstar_pc.pdf
    • http://nafigunagofadab.getenjoyment.net/10090976921.pdf
    • http://fuzubijixulux.mygamesonline.org/33839271923.pdf
    • http://zawugudumi.getenjoyment.net/3458750704.pdf
    • http://talezoruvaje.iblogger.org/famoto.pdf
    • https://cdn.sqhk.co/lemijexo/Bhk9gdk/rebexuratomumipu.pdf
    • http://kamefutebiwef.mywebcommunity.org/50322911987.pdf
    • https://cdn.sqhk.co/bugolajoxodu/EqhsWib/math_worksheets_grade_2_subtraction.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/98ab20ad-4890-45d1-ae3e-f30aa03ac8a0/tugadijarotoxo.pdf
    • https://uploads.strikinglycdn.com/files/0adb22f5-76c4-4b44-9641-9be0e0966f27/20302093267.pdf
    • https://uploads.strikinglycdn.com/files/e5c0abb6-967b-4025-807a-ab66ae3a898c/phd_research_proposal_sample_sociology.pdf
    • https://uploads.strikinglycdn.com/files/e39a99e3-a30f-415b-bf3a-e711ea6065fc/microsoft.flight.simulator.x.gold.edition_-_skidrow_winrar_password.pdf
    • https://uploads.strikinglycdn.com/files/6ad3d3f8-6690-4afa-ba10-cfe93ca35920/what_is_the_meaning_behind_geometric_tattoos.pdf
    • http://vofoxefubi.epizy.com/when_will_walmart_get_rid_of_cashiers.pdf
    • http://telewazikenap.rf.gd/adjective_adverb_list.pdf
    • http://jutademopewe.epizy.com/vivah_movie_300mb.pdf
    • https://uploads.strikinglycdn.com/files/b9d38970-d666-41cf-b235-2e561710b6d1/diferencias_entre_la_tabla_periodica_de_mendeleiev_y_moderna.pdf
    • https://uploads.strikinglycdn.com/files/fc018485-8fa5-4787-b682-19fc5d5f6047/pictures_of_the_red_pyramid_in_egypt.pdf
    • https://uploads.strikinglycdn.com/files/8a35994a-80a1-4544-ab5a-20c34c9a4538/61459032049.pdf
    • https://uploads.strikinglycdn.com/files/998d57a3-d5a6-47ed-8ed3-ddafd872354c/77970506809.pdf
    • http://rozikumopimi.rf.gd/marquette_golden_eagles_account_manager.pdf
    • https://uploads.strikinglycdn.com/files/131a2071-a3ff-4424-829f-600156ea7dc4/ditalisenitosevo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102b1.bin
c936b9a36cee19daf8d60ab7c31d48ed45c066243270168c7ce28d653ede569b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102B1 5160 bytes
font_01_sfnt_off00011446.bin
38dc3ef44ba9d91ff1c44aa8bf44484761d7adfb4d065c72a913576c725aa163		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11446 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.