Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b6478a0bec44b4d…

MALICIOUS

PDF

80.1 KB Created: 2021-03-29 16:44:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 296c28bb85e28e92b5b854123b173757 SHA-1: e1ab05b83412a0cbb8f472832cdbf8a424ea131d SHA-256: 9b6478a0bec44b4d880c1689733fee27b9b07d6818e7e86fce1d9752ddbe52e3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, with a specific detection name indicating it is a phishing trojan. An external URI pointing to 'vilenefex.ru' was extracted, which is likely the malicious payload delivery or phishing site. Although no scripts were explicitly extracted, the PDF structure and the nature of the URL suggest an attempt to trick the user into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+remove+drm+from+kindle
    • https://dogerisu.weebly.com/uploads/1/3/0/8/130874322/1409129.pdf
    • https://siganagimub.weebly.com/uploads/1/3/2/6/132683357/9bb31d9.pdf
    • https://lenexemumuvag.weebly.com/uploads/1/3/1/4/131438583/lusilugitafejes_redupijivevano_durojupixure_wutifudu.pdf
    • https://cdn.sqhk.co/gexojavo/BhfKhfP/tugagereziwanovagexofowa.pdf
    • https://pugulewex.weebly.com/uploads/1/3/1/4/131406013/negozew.pdf
    • https://ruregogawumol.weebly.com/uploads/1/3/2/8/132815787/4336505.pdf
    • http://sefajoga.iblogger.org/what_is_the_weather_report_in_chennai.pdf
    • http://bufaturofonoko.22web.org/43595366417.pdf
    • http://nojitowe.iblogger.org/english_story_book_download.pdf
    • https://cdn.sqhk.co/jabosuve/ijhgic2/crash_of_cars_gameplay.pdf
    • https://cdn.sqhk.co/segexiji/e8xXhcJ/4260740626.pdf
    • https://cdn.sqhk.co/fajoliteve/hhhigic/bisiw.pdf
    • http://mowewuwopirot.iblogger.org/active_transport_and_passive_transport.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vavale/vegetable_dishes_for_picky_eaters.pdf
    • https://s3.amazonaws.com/baxegezivumi/wokavukivixoxamevi.pdf
    • https://uploads.strikinglycdn.com/files/00768935-7278-442d-b662-32301150360b/98055874416.pdf
    • http://risumipekalur.rf.gd/anet_a8_auto_bed_leveling.pdf
    • https://s3.amazonaws.com/xuzed/74451314167.pdf
    • https://s3.amazonaws.com/getizar/bruce_lee_songs_video.pdf
    • https://uploads.strikinglycdn.com/files/653e7733-8500-4041-ad0e-15075653b436/short_stories_for_high_school_special_education_students.pdf
    • http://deketinak.rf.gd/cisco_sg350x-_48p_datasheet.pdf
    • https://s3.amazonaws.com/savukojubusum/terumizexitepobu.pdf
    • http://vudubarexofibuf.rf.gd/25399272513.pdf
    • http://wulekugigewipo.epizy.com/1756479768.pdf
    • http://todiwemutu.rf.gd/blog_content_planner_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f84c.bin
677d8dd378c63ef129ce4c824c1cb5b9e4f105dc0c98950c47b937c47682d623		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF84C 4844 bytes
font_01_sfnt_off000108c5.bin
fd7ac2a056388e7a9d10812353000cb47f7541057ae93bb7c438e9f7953e3c9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108C5 12224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.