Malicious PDF — malware analysis report

Static analysis result for SHA-256 a21af3f1407bcf76…

MALICIOUS

PDF

76.0 KB Created: 2021-04-02 09:26:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fe64ea0a8ad0ff417bc101bbfae0312 SHA-1: 7c503233bb4cb03441decb2e5d68efa7f852823f SHA-256: a21af3f1407bcf762dd08839eae56b70dc1045c229294523c088b9f1a528dfa5
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating an advance-fee scam lure, specifically mentioning 'robux 2020 application download' in its metadata and document body. The primary malicious indicator is the external URI pointing to 'vilenefex.ru', which is likely a phishing or malware distribution site. While no scripts were explicitly extracted, the PDF structure and the nature of the lure suggest it's designed to trick users into downloading a malicious payload, potentially via embedded JavaScript or by directing them to a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=robux+2020+application+download
    • http://gokuluzed.iblogger.org/1_week_calendar_template_excel.pdf
    • http://feziweninepiv.iblogger.org/nekaguxesoguweja.pdf
    • http://lasleymarkt.ru/top_100_indie_games_on_switchw21i0.pdf
    • https://static.s123-cdn-static.com/uploads/4421205/normal_5fee9eaf901d7.pdf
    • http://feldhaus-klinker-plitka.ru/sunsetter_awning_sales_near_mebmu3x.pdf
    • https://cdn-cms.f-static.net/uploads/4472793/normal_60390f3413772.pdf
    • https://cdn-cms.f-static.net/uploads/4469643/normal_605885acdc09f.pdf
    • http://caterm.ru/how_do_you_unclog_a_swiffer_wet_jetnpmpt.pdf
    • https://cdn-cms.f-static.net/uploads/4369162/normal_5fe9b90ea8440.pdf
    • http://shopsmmv.site/native_instruments_traktor_kontrol_s4_mk3_review4ymw6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vekalaluno.epizy.com/74345028322.pdf
    • http://jeborawaleko.atwebpages.com/non_collusive_oligopoly_def.pdf
    • http://lufiwivumijej.myartsonline.com/xutinija.pdf
    • http://rofagarurazope.rf.gd/nedilifopivowikujinuge.pdf
    • https://s3.amazonaws.com/babuxufarizuxur/effortless_mastery_book.pdf
    • https://s3.amazonaws.com/salade/85810052135.pdf
    • http://lelupiborojez.epizy.com/oxidao_de_alcoois.pdf
    • https://s3.amazonaws.com/muxegeza/17207847785.pdf
    • http://basatesizisil.rf.gd/bootstrap_datepicker_template_free.pdf
    • https://s3.amazonaws.com/xunilukegez/aluminum_sheets_for_enclosed_trailer.pdf
    • http://wukefomirufiza.rf.gd/gasimosejovizedebinogeta.pdf
    • http://jobasajavav.rf.gd/design_patterns_examples_in_java.pdf
    • http://wukekikisowif.epizy.com/vesevuxamalija.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb13.bin
8ef05684e11ca92bd6bff033e4a5c5f45eb959e862b3d1f6d15cc22e4d2a620a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB13 5376 bytes
font_01_sfnt_off0000fd86.bin
80f20c9603756d2d50e70dd01adbd6cae71fbdb6cc99a9a9888adf51855f2682		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD86 10988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.