Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a5b523e7d194c6b…

MALICIOUS

PDF

79.4 KB Created: 2021-03-14 15:11:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8380cb2d127ab2bed5d58284647bb0b2 SHA-1: b8228c7bbe698c48973ee423561bc5ad82c9879b SHA-256: 8a5b523e7d194c6be872f2b3da0abca5725e9821b4fc228371869e14a5e07870
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to redirect users. The primary malicious URL identified is vilenefex.ru. While no scripts were explicitly extracted, the presence of numerous external links and the ClamAV detection indicate a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=slouching+towards+bethlehem+first+edition
    • http://idealsit.space/words_that_start_with_xiegfuhy.pdf
    • https://xalorato.weebly.com/uploads/1/3/4/3/134317389/gibevakewij_mekekowijalol_feruxewamabe.pdf
    • https://cdn-cms.f-static.net/uploads/4463791/normal_602b42163ba74.pdf
    • https://cdn-cms.f-static.net/uploads/4368999/normal_601c028a0fb4a.pdf
    • http://best-store.club/photo_studio_programam93t9.pdf
    • https://wisufomerimugil.weebly.com/uploads/1/3/4/0/134016782/2054025.pdf
    • https://rapelolizoxofi.weebly.com/uploads/1/3/1/3/131381924/puzam-pugijijefigoni.pdf
    • https://cdn-cms.f-static.net/uploads/4496582/normal_5fd12a85bd367.pdf
    • http://nowtorrentz.com/nivugiwexuzunasafixomucqi.pdf
    • http://wapazezaduv.iblogger.org/rpp_biologi_sma_kelas_x_kurikulum_2020_revisi_2020.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8f8f07f4-d3f9-46d8-ba01-fd9b38f3801f/how_do_you_make_a_jump_rope.pdf
    • http://xonoxizefonodas.epizy.com/are_there_going_to_be_stars_out_tonight.pdf
    • https://04fc2a56-3ca8-4b90-bfe8-b05f9e7ed3d8.filesusr.com/ugd/51e9d0_cf855c6e8dae44d1abc807c3a67ddfd1.pdf?index=true
    • http://fikojadepo.rf.gd/sharp_xe_a207b_manual_espaol.pdf
    • https://uploads.strikinglycdn.com/files/aa32c150-f101-4441-a805-0ab7b92de9c9/86041870217.pdf
    • https://uploads.strikinglycdn.com/files/77173c50-6798-49fb-92f5-09f2c2ea13fd/html_css_responsive_template_portfolio.pdf
    • https://uploads.strikinglycdn.com/files/3f2a2f2a-ce38-43db-9e6a-0a3fe51d5779/47021560460.pdf
    • http://fixetofona.epizy.com/getogobizib.pdf
    • https://c63ca81c-6df4-4ec3-bc2e-8508f29a6879.filesusr.com/ugd/d48fe3_70f1816cca024a29b0ed8f48a51e7530.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5b184fed-e448-4a82-985b-ced2dde1bd29/sheep_in_a_jeep.pdf
    • http://botozagelexi.rf.gd/37836187260.pdf
    • https://0f7a2101-273c-4f7f-b1fd-079d1ad923c1.filesusr.com/ugd/a7ea6f_8ca9f53a42fd4b9f9acd6f6f2bbb7924.pdf?index=true
    • https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_85842fd3ada940ea8a584fcda99f17f1.pdf?index=true
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_a1ebfa219186488f95dc0e52df10b20b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f446.bin
7097f7ed33e1f420e1805178f86ca41be89a4dbd0298f575a9ac643d2f545c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF446 5772 bytes
font_01_sfnt_off000107cd.bin
87e099b7c64c88710dba32e3b58190274022f7adcf4a6582a76c78b45e85960c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107CD 11704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.