Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f4def79d97245ff…

MALICIOUS

PDF

92.6 KB Created: 2021-03-27 11:16:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0f574c7912e3530c2579aa0735ef6e8 SHA-1: e1bb28d3e0ea8a3df0b5216a5d52eba77f9f8a37 SHA-256: 9f4def79d97245ff3b2822961babdcf211ded0873e15b2f457967d890a8c573e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains embedded URLs, with the primary one being https://vilenefex.ru/strik?utm_term=menu+persepolis+1971, which likely serves as a lure for phishing or to download further malicious content. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=menu+persepolis+1971
    • https://kaxojolomo.weebly.com/uploads/1/3/4/8/134885197/a9658.pdf
    • https://cdn-cms.f-static.net/uploads/4389095/normal_60183ce08388e.pdf
    • https://cdn.sqhk.co/zezegawutogu/jighjiw/minecraft_clicker_servers.pdf
    • http://sewakasatixori.medianewsonline.com/anchoring_script_in_marathi_for_school_gathering.pdf
    • https://static.s123-cdn-static.com/uploads/4370762/normal_6001d4323cb9a.pdf
    • https://cdn-cms.f-static.net/uploads/4404990/normal_5fe7df1185c3d.pdf
    • https://guzaluvezitalil.weebly.com/uploads/1/3/4/6/134645516/c896428ca.pdf
    • https://cdn-cms.f-static.net/uploads/4465556/normal_600db1ff85bba.pdf
    • https://cdn.sqhk.co/togixulala/aTidAhf/aviation_industry_overview.pdf
    • https://cdn.sqhk.co/gejupajo/hahdcYX/lightroom_presets_app_free_download.pdf
    • https://cdn.sqhk.co/zetanitanedo/WNDagJH/dowamijobasikatitefe.pdf
    • https://cdn.sqhk.co/goworonol/FiaoJ41/american_truck_simulator_wallpaper_4k.pdf
    • https://bomevalaruzaf.weebly.com/uploads/1/3/4/8/134871705/ad8c161cb7f191c.pdf
    • http://mavixepajifulem.scienceontheweb.net/surah_al_waqiah_arab_dan_latin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zowofiz.myartsonline.com/16733604846.pdf
    • https://uploads.strikinglycdn.com/files/2417cdd2-d18e-4c63-920b-d882953d3d91/98444578990.pdf
    • https://s3.amazonaws.com/dogevazapiwediw/maxtor_one_touch_2_disassembly.pdf
    • http://perexuwofogefo.onlinewebshop.net/70119860946.pdf
    • https://s3.amazonaws.com/wewiro/copd_treatment_guideline_2019.pdf
    • https://s3.amazonaws.com/wizedumi/90928350943.pdf
    • https://uploads.strikinglycdn.com/files/dd450366-7740-4def-99d7-7134912ef6c8/78920480346.pdf
    • https://s3.amazonaws.com/fewunadupop/robinair_34700z_repair_manual.pdf
    • https://uploads.strikinglycdn.com/files/80fe5b46-9750-4ebc-ac38-c40fef27549a/los_crimenes_de_la_calle_morgue_edgar_allan_poe_resumen_corto.pdf
    • https://uploads.strikinglycdn.com/files/23b9975a-6ab8-4cd0-a1ee-64ec52482d0c/betty_crocker_cooky_book.pdf
    • https://s3.amazonaws.com/getizar/carb_cycling_free_printable_food_guide.pdf
    • https://uploads.strikinglycdn.com/files/860b10d3-280c-4409-9e20-ed0f02034fe7/how_to_do_soft_reset_on_samsung_phone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012a5e.bin
e7d9481b1cfb335c3a40d241de2cdea67af0fcec90b81d3c12ad9c18569202fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A5E 4896 bytes
font_01_sfnt_off00013b2c.bin
f1a27dd22364b00fff316a6714a26406217353583d6794297a641edbd4d9f61e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B2C 13184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.