Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1732e31a2c825cd…

MALICIOUS

PDF

79.8 KB Created: 2021-03-29 22:55:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f7253f4086128963be2556b8ccfd9444 SHA-1: 78e68a5a5655349202cba37f45bfb0768bf81987 SHA-256: d1732e31a2c825cd2fec8b723fde73ce4a60b84885895909c5a7137a1b7f1ff9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'vilenefex.ru', which is likely a malicious domain used to host a phishing page or distribute further malware. The document body, though heavily obfuscated, suggests a lure related to 'call for papers'. No scripts were extracted, but the PDF structure itself facilitated the malicious URL embedding.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=aaal+2020+call+for+papers
    • https://cdn.sqhk.co/sivofedexim/dHvjjBg/56750173772.pdf
    • https://cdn.sqhk.co/titesojijuko/4Chc0gc/thrift_shops_near_me_open_today.pdf
    • https://cdn.sqhk.co/nurijodefa/icOhtuZ/sivewegifogigelumugu.pdf
    • https://cdn.sqhk.co/xuzuvazol/Hi1mgiy/25127257713.pdf
    • https://cdn.sqhk.co/nakunadubux/9cfsrZj/zivek.pdf
    • https://cdn.sqhk.co/duxadikoti/jNhenx0/siwinoje.pdf
    • https://cdn.sqhk.co/pekotegafod/40ijgc3/femelofukupudes.pdf
    • https://cdn.sqhk.co/regomesu/ehehaz3/11531997179.pdf
    • https://cdn.sqhk.co/rusobotakox/hcSFia8/best_hockey_fights_2020.pdf
    • https://cdn.sqhk.co/balaragu/ihjeZls/general_hospital_recaps_thursday.pdf
    • https://cdn.sqhk.co/waxigapo/jg7WXgg/nedesurizerivuveze.pdf
    • https://cdn.sqhk.co/kuwusemob/CtgeAkE/xujugu.pdf
    • https://cdn.sqhk.co/lijusute/ghhjhfH/engine_block_3d_model_free.pdf
    • https://cdn.sqhk.co/babakobesuxe/dii8hi4/20625159234.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/4637d29c-87c1-44a6-b6b5-a2b9f8e22aad/bob_stroller_revolution_vs_rambler.pdf
    • https://uploads.strikinglycdn.com/files/fe7214b7-64b5-417c-857d-2d2e10639c5e/sijerisakinoju.pdf
    • https://uploads.strikinglycdn.com/files/00d761be-451e-4a55-af35-841ec62d81ef/la_republica_de_platon_libro_2_resumen.pdf
    • https://uploads.strikinglycdn.com/files/8c96faf5-eda7-464d-8089-e7ab6c42dca5/90301713042.pdf
    • https://uploads.strikinglycdn.com/files/12a2ddb0-04d7-41fc-b8dd-ce11812ef4ff/what_is_the_gender_and_development.pdf
    • https://uploads.strikinglycdn.com/files/6a829d52-5c0b-47c2-8f82-c403e5b6aa95/2020_lexus_rx_350_interior_options.pdf
    • https://uploads.strikinglycdn.com/files/9b06197b-0ad2-4370-b520-839f3eeed7cc/8168290965.pdf
    • https://uploads.strikinglycdn.com/files/9a63e91d-fc3c-4c43-abd2-160ae1fd6dde/how_to_make_a_bar_chart_in_excel_with_one_column_of_data.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef7f.bin
09a65d2a0fd3a31a4eafa6a67c0978cb8545ba38cf4e0c0fdf6944c03e39f5a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7F 4828 bytes
font_01_sfnt_off0000ffe4.bin
bec0ef5d0c3ffc23571a09657ea082b5cebabe192408c2269637244b204ec610		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFE4 10552 bytes
font_02_sfnt_off00012392.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12392 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.