Malicious PDF — malware analysis report

Static analysis result for SHA-256 814edf192eb09027…

MALICIOUS

PDF

72.6 KB Created: 2021-03-10 15:31:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e10ec66833b4128b041ebb6af8c923e SHA-1: eeb5e095af8d9f1eddd294d39c8d618790f78bde SHA-256: 814edf192eb090271ef38e31ec70a09a0058985acf16d7dcbaa34614b681f58c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, vilenefex.ru, which is likely a phishing lure. ClamAV detection and ML classification strongly indicate maliciousness, specifically identifying it as a phishing trojan. The document body, though heavily obfuscated, suggests a pretext related to 'auto diagnostics' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=auto+diagnostics+pdf
    • http://capridigi.com/how_to_calculate_3_gear_ratiotxhgk.pdf
    • http://bajoxuj.22web.org/sreemath_bhagavath_geetha_malayalam.pdf
    • http://goproonly.com/snes_emulator_windows_10_deutsch0yhr5.pdf
    • http://gebajajax.22web.org/labojemubanon.pdf
    • https://cdn-cms.f-static.net/uploads/4446270/normal_6045c2591f6bc.pdf
    • https://cdn-cms.f-static.net/uploads/4379032/normal_603c75a2239a0.pdf
    • https://cdn-cms.f-static.net/uploads/4368501/normal_6044a099ee06b.pdf
    • http://kindraretterath.com/912614705963y685.pdf
    • http://italywom.space/android_fragment_detect_orientation_changem033j.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bepogakebite.epizy.com/delhi_yesterday_weather_report.pdf
    • http://nirobow.epizy.com/tobesujusazupikemaxux.pdf
    • https://s3.amazonaws.com/sevoga/40614867244.pdf
    • https://uploads.strikinglycdn.com/files/2c0793ec-4f01-46a1-a588-7c841fcd6707/napusubomikupusegur.pdf
    • https://s3.amazonaws.com/ziwuvijevo/2015_cadillac_escalade_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/f6fd8758-9af4-4ec1-9b7d-e9d0cb6309a4/old_singer_hand_sewing_machine.pdf
    • https://uploads.strikinglycdn.com/files/61c04c36-d9e5-4eaa-bc95-9f71b79a4769/48498060937.pdf
    • https://uploads.strikinglycdn.com/files/1a97c24b-5136-4ede-8803-f1c0557824ff/how_to_adjust_tension_on_nordictrack_elliptical.pdf
    • https://s3.amazonaws.com/golepe/meeting_plan_template_excel.pdf
    • https://uploads.strikinglycdn.com/files/0eaa5b4a-bc06-4ef9-8b91-77f8c7ce7616/82959010730.pdf
    • https://uploads.strikinglycdn.com/files/4ed67d53-96df-4b30-9915-50e9c2c5cd3b/29773086252.pdf
    • https://uploads.strikinglycdn.com/files/fad16d4f-9eec-4e8a-b74c-cde4282b2369/8705265860.pdf
    • https://s3.amazonaws.com/fojaxexino/how_to_set_la_crosse_digital_clock.pdf
    • https://uploads.strikinglycdn.com/files/b742d0c2-95e2-4f22-8881-392f43fe4a4f/fixamaniwugu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddc9.bin
a0c8b42fbb0cd835c9a5489cc88dc4711166b93287eca10f0553b3c31984e2b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDC9 5184 bytes
font_01_sfnt_off0000ef8c.bin
405fb549346dafaccdfca278f1f1df5d8b5ae598bc65f6a028b50cbd0978fb40		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF8C 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.