Malicious PDF — malware analysis report

Static analysis result for SHA-256 aaf8665ae09ba0d4…

MALICIOUS

PDF

77.7 KB Created: 2021-03-14 10:35:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 19482e3d5d9dbe06dde41e3185c52d5b SHA-1: 22efe5d59d8e81a242cdc1894074c294c617fc15 SHA-256: aaf8665ae09ba0d4218702e6f7a3d4805edb5f87a527094e505a5b30fb2de8dc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'vilenefex.ru', which is likely part of a lure to download or execute further malicious content. The document body, though heavily obfuscated, appears to reference 'Apowersoft video capture', suggesting a pretext for the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=apowersoft+video++capture+6.+4.+7
    • http://pabakijizozid.iblogger.org/29443074626.pdf
    • http://mybiol.site/rocket_broadcaster_metadatai4dhr.pdf
    • https://cdn.sqhk.co/kigoxeni/ifuqjar/fagekusijulu.pdf
    • http://fisifur.iblogger.org/kruskal_wallis_test_reporting_apa.pdf
    • http://site-shop.xyz/la_la_land_epilogue_piano_arrangement012pd.pdf
    • http://pycnidwzxc.info/plantronics_voyager_3200_replacement_ear_tipswmp8x.pdf
    • http://jushq.club/credit_report_dispute_transunionicsc0.pdf
    • https://cdn.sqhk.co/ranotigu/hjidqhd/langrisser_i_ii_limited_edition.pdf
    • http://repair-planshetov.ru/xixejelxy09u.pdf
    • http://xepidenad.scienceontheweb.net/cirque_du_freak_series_review.pdf
    • http://dipunag.getenjoyment.net/winuzatif.pdf
    • http://kuvenumine.mygamesonline.org/dungeons_and_dragons_books_near_me.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gonegexunu.myartsonline.com/wopabopilibudolitolo.pdf
    • https://d4bcd744-2348-4fe3-9006-05b2fcbd3cbd.filesusr.com/ugd/704566_c26e83ffd94a47399a0602d4ddcd23b2.pdf?index=true
    • https://f98f40d2-b649-4e6b-99af-b89bbf2331ff.filesusr.com/ugd/724bd4_81fabb5c2c3f4c6e9ff50b29390db62f.pdf?index=true
    • https://f6180879-d31b-499c-8e42-fead7842c491.filesusr.com/ugd/007227_f59cc906e26c48628d45945602746f33.pdf?index=true
    • https://s3.amazonaws.com/kabisebax/devi_kavacham_lyrics_in_sanskrit_download.pdf
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_ed4a54d8d84a432bb68f225d66335c54.pdf?index=true
    • http://lowazuxakosilal.epizy.com/gafuripij.pdf
    • http://xafezup.rf.gd/formulas_de_area_e_volume_de_figuras_geometricas.pdf
    • https://c22e5cf4-338a-4003-9cad-c1cb0be29285.filesusr.com/ugd/3db607_8debedfb3a26422b8e4567a4bbd5f047.pdf?index=true
    • https://s3.amazonaws.com/vedexajawo/android_app_developer_fresher_jobs_in_mumbai.pdf
    • https://s3.amazonaws.com/towakog/vudemo.pdf
    • https://s3.amazonaws.com/rebomedug/datetimepicker_format_vb._net.pdf
    • https://s3.amazonaws.com/jaxesabi/fatorifulorelukeredit.pdf
    • http://befonixepar.rf.gd/gemijosiwurufobe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1b7.bin
7c9d5fda60d802fc47ce24a150c96d49425258d936e0feb036790d73e0a2b1a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B7 5612 bytes
font_01_sfnt_off0001050b.bin
5da7bb130a978e4293724cc3c306132940f90aacadb90f9ebf8e67f7a57cd6c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1050B 10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.