Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d6449ac5e728c0d…

MALICIOUS

PDF

104.3 KB Created: 2021-04-07 20:28:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91c505aece5be4569f61a9fe1ab750b5 SHA-1: 9f3d3c6b453c8bdce558db549e5ffef864f467fd SHA-256: 9d6449ac5e728c0d78aeb51cc006fa3506cae956cc124bf02503e24b81be58aa
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with the primary malicious URL being vilenefex.ru. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, and 'SE_PASSWORD_ARCHIVE_LURE' suggests a common tactic for hiding malicious content. While no scripts were explicitly extracted, the presence of external links and the ML classification strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=warframe+lua+training+room
    • https://jukovuwivoxufab.weebly.com/uploads/1/3/3/9/133997180/9684222.pdf
    • https://soxoxalumowaju.weebly.com/uploads/1/3/4/7/134768556/3259307.pdf
    • https://kopikemuv.weebly.com/uploads/1/3/0/7/130740389/peruzimowoduforesuzo.pdf
    • https://jojonawizofobu.weebly.com/uploads/1/3/1/4/131438175/fuwegupasikipirewete.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ebb8d99b-1fda-4141-85a5-4546f464d47d/pretty_little_liars_books_full_set.pdf
    • https://s3.amazonaws.com/wamatasamegu/9057692668.pdf
    • http://lasikip.rf.gd/descriptive_research_design_examples.pdf
    • https://336ddc11-c37d-4cd6-9685-7accad2975f7.filesusr.com/ugd/479fa9_0912e7a97af247b6879bd9b4d359fc39.pdf?index=true
    • https://s3.amazonaws.com/vikukinumet/nunerukamivadanadoz.pdf
    • http://roradom.epizy.com/25376146947.pdf
    • https://s3.amazonaws.com/xakajoziwibi/serenity_prayer_in_aa_literature.pdf
    • https://uploads.strikinglycdn.com/files/130adcd1-4079-48ee-b65c-1c9bfca2d2cd/tafawuwaded.pdf
    • https://s3.amazonaws.com/banula/system_requirements_specification_example.pdf
    • http://gukofeverozek.rf.gd/barron_s_sat_math.pdf
    • https://3a00e800-a8eb-44ae-aafc-ae9aecab8e06.filesusr.com/ugd/1715bf_466b93639d3f4e719ce32d230cb45a0c.pdf?index=true
    • https://s3.amazonaws.com/wupixufekijax/22074482174.pdf
    • http://bakenexiradofo.epizy.com/hot_cross_buns_sheet_music_flute.pdf
    • https://s3.amazonaws.com/jeponowon/printable_calendar_with_julian_dates_2021.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000146ee.bin
acd74acb30eb0aa13bf531bd6126ece317f7ea4575f4c55b55786570c6a9d70d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146EE 4924 bytes
font_01_sfnt_off000157a8.bin
eb20c95b541befa974c1ae8707d90747688d18429d24fac28a3f1fd12afa18c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x157A8 11412 bytes
font_02_sfnt_off00017eb9.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17EB9 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.