Malicious PDF — malware analysis report

Static analysis result for SHA-256 b40501e45b76f1f8…

MALICIOUS

PDF

80.0 KB Created: 2021-05-10 04:47:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7b18c023190867570acc90c4ca060fc SHA-1: d05edb396a50632ce5e1b2311d88eec7dc7dba91 SHA-256: b40501e45b76f1f8b4580f1fd52f6ad6212aadbe9608cdfd6d3706a29261b856
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan distribution attempt. It contains numerous external URIs, including a suspicious link to 'vilenefex.ru' and a direct PDF download from 'urologo.store', suggesting it's part of a link farm designed to redirect users to malicious content. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=cbt+worksheets+for+anxiety+uk
    • http://urologo.store/dufipanulubuzijy4zc2.pdf
    • http://lnstagramverifiedsbadgeform.com/futekefenir20fpv.pdf
    • http://budokudepa.scienceontheweb.net/depazoge.pdf
    • http://kutakelipaxeb.22web.org/dingbats_examples_with_answers.pdf
    • http://pc-remont.website/siwubeporusa13jwy.pdf
    • http://ag-management.space/kepofifav4joau.pdf
    • http://rezltml.xyz/best_construction_project_management_software_for_small_businessv44k0.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://uuuuull.space/what_is_humanism_theoryqe7b1.pdf
    • http://desokore.medianewsonline.com/convert_in_word_document_free_online.pdf
    • http://silkhfig.bid/20435735909v4bmz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b1b1ed1d-a631-407f-b8a0-2f609481a9c2.filesusr.com/ugd/3e5895_b925fe8a34534fcd9cc4c5eb458d8687.pdf?index=true
    • http://gozebodene.rf.gd/29451023144.pdf
    • https://6b2d4799-12fc-456d-8881-596234ac9a0a.filesusr.com/ugd/ae8ff6_d2e65a321e84416983481d334f96473f.pdf?index=true
    • https://5ee0d2ad-6486-47ce-ab7d-0e7b2bae4193.filesusr.com/ugd/bc0d1e_570fa431bbf8474f8500926f797ace9a.pdf?index=true
    • http://rixibedi.onlinewebshop.net/polo_ralph_lauren_coupon_2021.pdf
    • https://8d59741e-369e-44be-b01e-8fbcb09d2d01.filesusr.com/ugd/7cefa9_bed7a9e3d9304638acbcd7d71c00a0c5.pdf?index=true
    • https://0ac950e2-707a-4e47-8bf4-daface0ea9db.filesusr.com/ugd/356f11_cb5dd088c39a493193ea5d65fbe15dfb.pdf?index=true
    • http://wolobugoxew.myartsonline.com/zisuvomufotufuluzamudu.pdf
    • http://rafodize.rf.gd/ninelekozo.pdf
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_dd23950124e146489cebcd9fd7acd2e1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e577.bin
c98c2f7e44d98f525b4e29667c0adcb0df3dfcbf7d968f62b5e001b9f3cb9d7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE577 5192 bytes
font_01_sfnt_off0000f735.bin
29f6cb55e4c030b869a5594feb5c6f4879066b17a9e2a7466075e7daa284879a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF735 10948 bytes
font_02_sfnt_off00011cb9.bin
31aa257675234f953cb39254c73a0c002637764ec2691c470e0912636c3685cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CB9 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.