Malicious PDF — malware analysis report

Static analysis result for SHA-256 df0f46c08ceed7ec…

MALICIOUS

PDF

84.9 KB Created: 2021-03-30 06:49:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 3dbf6982d3f18de04f81c012bdd85190 SHA-1: aec1319309b113c854df0d82945915af60334a39 SHA-256: df0f46c08ceed7eca36e88eb802dfa350dc7307c5012797950675c3facaf1728
226 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains an embedded JavaScript payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic and the presence of a script artifact. This script is likely designed to download and execute a second-stage payload from one of the embedded URLs, such as https://vilenefex.ru/wix?keyword=talking+angela+hack+apk+download+free. The document's content and structure, along with the ML_NYX_PDF_MALICIOUS and CLAMAV_DETECTION firings, strongly suggest a malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=talking+angela+hack+apk+download+free PDF link annotation
    • https://cdn.sqhk.co/xoxujagemo/e7a5jfq/4th_grade_multiplication_worksheets_with_answers.pdfIn PDF document text
    • https://cdn.sqhk.co/raxinosi/UhfheqJ/lukeworenepele.pdfIn PDF document text
    • https://cdn.sqhk.co/jukowejazus/gioidrP/rulorugulagelute.pdfIn PDF document text
    • http://smcjd.com/how_to_reset_casio_calculator_fx-9860giiitlj8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380088/normal_6025fd2982aec.pdfIn PDF document text
    • http://tamodemuror.getenjoyment.net/68063639504.pdfIn PDF document text
    • http://help-copyrightservice.xyz/barn_burning_social_class_themekvqqc.pdfIn PDF document text
    • http://fimewot.xyz/padi_open_water_certification_tulum8phx2.pdfIn PDF document text
    • http://rapoxarawiwalo.sportsontheweb.net/zend_avesta_fechner.pdfIn PDF document text
    • http://bulakirip.getenjoyment.net/what_is_the_best_gas_mask_filter.pdfIn macro / runtime command snippet
    • http://wuduwoguto.22web.org/48455215647.pdfIn macro / runtime command snippet
    • https://cdn-cms.f-static.net/uploads/4472506/normal_5fd995cc5ce53.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470385/normal_601ddaab50d62.pdfIn PDF document text
    • https://cdn.sqhk.co/gijimexuv/oCyggbK/wulufikexad.pdfIn PDF document text
    • http://goldotzyv.ru/dedarabadogapuruxehmsdo.pdfIn PDF document text
    • https://cdn.sqhk.co/mijajijem/pPgg3jj/soturazedunazetev.pdfIn PDF document text
    • http://rapoxarawiwalo.sportsontheweb.net/zendIn macro / runtime command snippet
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dokudaruriwiv.atwebpages.com/lokosarozuba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5f2b51f-d909-4593-8a55-8c58eb3f6ca5/yamaha_ef3000iseb_generator_battery_replacement.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ac285ed-8d39-4130-9d84-f231a6a77fbf/what_are_the_five_elements_of_narrative_identified_by_this_chapter.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ab01336-5adc-45a8-82c8-2e4310df1d24/crosley_record_player_turntable_not_spinning.pdfIn PDF document text
    • http://kovemipenege.rf.gd/azure_ad_connect_powershell.pdfIn PDF document text
    • http://fimamuvumurepu.rf.gd/dodopisidudesupijinuwexa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00009a53.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x9A53 86981 bytes
SHA-256: be5de251fe27727413abe510241e41131174217a47ba3ba31d9df9ff6b5bff7a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� T a l k i n g   a n g e l a   h a c k   a p k   d o w n l o a d   f r e e)
/Creator (�� w k h t m l t o p d f   0 . 1 2 . 5)
/Producer (�� Q t   4 . 8 . 7)
/CreationDate (D:20210330064921+03'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
����  JFIF     K K  �� C                                    	 	  
   


      	  
      �� C                                                                 ��    � q  "       ��                            	
 �� �                }        !1A  Qa "q 2��� #B�� R��$3br�	
     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������                            	
 �� �                w       !1  AQ aq "2�  B����	#3R� br�
 $4�%�    &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������          ? ���dž-~!�.����mv��D&d�� �� =I ���	> xi���%��hʆ�_�� x�� �sG��V�o��T � : ޱ�~��:��9ݴc ϿN}{ La� NSm���)�
� 4�#ol\J  ��ޔ�� ��nAa R�dK&z����<WH ��
��܄ �1��� ?�d]� ���*�s���  �sҝ�涶�?��9� 
sð��Ӕ+���/ �;�� _z�O�   A�U	; � �gw�tj����{ ;����Sbb��C���   8< {�j����t�����lsg� �B0 v�� \��I<��"|!��1̀*�i h�� ������&Y~V �
�8�F ��Q�hѶ6��y~B��  �T� �֫U�i�3�� �5����K� �yp~�6:�|  �9 $i���3 9��t�N ���r�T�v� q�q��}8��JXƏ�"�\  �_a����*3��� ���  �  ��yGo�� � <<�(:j~�}�:Q���n s�����` �ʌ  �� ����d� '���� �B�J�79v�'��m���r �R  ������ |9 VM>1�叙&� � �ק\���t�S a�8�1� M2F R v �6 �z� � ����9b������  ��$�?s��� ��7�L� �;����MV ��=��.���� �8W  �r9�q������� ��� �К�� �3� �� �T�9AS��y ����<�� �� � ȶ �d����� �{�U�l��q��A  �ʔ��� n~nF�t�y �/!7}^�7'�O
��I��� �RH� ��   �7���;   ��d#�  � N8��]rQ��rrs��I&c$  � �� ,� �h�B����� ��7�� D .��d _>@��g �1����w@�� ,䜓4�  0 ���k��� ��8%��c�'��>�� B\�*G�G��O� P�֞ۉK��?���  �#�E��2���?y��  ��1��H� <<Q �Q���e�b;|��z�bVO��89� �9�  n�  �>m�FXd�Ӝ �@��W ���sQ� ��g p
��&�S�O���#��? �6y t�� �n$��wWI�e��l�   2 q�}:z�I[h  I8 rr{zt&�
������ xm'y J ���@ 1���t]| ��B?����*PW�}�u�U� �0 �� / )Ƿ �� �0�0��v �q���� O�� ��{�; ���G4�	|4�[
/
�@c4��q��g'=��T��ׇ�5
�9(HL��� �V'��q���FU    ��< �����iW,�  * 8�������AQյ{� ���˧��  O�F� ��&� v�͎�ΐ� ��ݍ7>g%��)' ᄎw�J   pI_�=>�)͉ ;� �OLq��\\����_y������H��~�o�f����u�9��M�w�~h-`Y� �yK �{�q�WR� u$d� ����� ���ʨO1N8� g� ��M AI�=_��  �W�� ��  Xer9k�rp	����ӽ,� �>� �_��̘9�տ�k�C&��"��� �2O���K"� �I
K �dzw� ɣ��|�Z#�_�> T1=�a�1��01� � �; �  �ۮ~���n n%\ ����WN�"1�Р
�r ��Q�� �P �  ���� ny�qۗE���r �~ �j���`�O(!�����H~ xq!S���h!�<��?�9�] ƅCof � ��L ^�� '� VW9 �� ���t[Q)>[7��s�o�  ����x\��PH#������ Ò8V�Ԓ� �J3�~��t0�(( c8P�s���� �� ~ͽ6�<�{ IϷ�E��ҿs�o�� �1�����q)-�H 7\ � � �1<�� � *�C � A��c� ���$ �
��  #��� қ b�*~a�F:sϧ��4'mI���+�zv9��7��� ��*1�4��� k��4� ��N�X
�$ �K��c w^��?Z�ԩu� ��  Fry����!Y U��+o#�;
 ܕ�_խ�c�? <6��N   s.= �C�#�� 6<I��k�p�C��5��m� 9, �=9�=9 ��� �� h��9���I��r������:{����s7 9�^����sҟq��Î�6 �u �Ls���WK EARv�6���: ��C���H�n '�I�s� ��K������� �Nl|#�� ?��   'r� ��o�A�{�j���^1�3q' ����� ��� .�
���n>�����4M H� �  �    /Β�ڝ�� ?�� ��� � ��@l�`r�h����׃S �~ � �  ��3K��$��9�9��� �(]De��{���߽F �	  � ��>���򧹚n:���� ��w�  �ု�|�`m �R�9�]� s��FOU��'��|���V?���lc ��LWJ y�;� � �o��� �Ldb� �0�~_��(�e��5m�� _��?�? ,� &���� �K�R8��? �> �y�\��^	�<�`  !�}Gz�
���=�:};SZ@�l
��	'�����9\]�������  ���� 0'� ��|�>�������� "5 � |�����'�ߝtP H�w���� 9 �2G^�����H�w Ж�Ü � 1A���� � �~ ��4�9 Cy� � � �lzv� �^ V�l F�I �2� �   ��`WH I�p��Q�p8 ?C��b��p � p� �����N�	�v�����S�  �9 � ��  �ļ {�� ��u�7��   �t�(��o�I�� ������x�PI'������n ��g8� cp���Rk��� �S�  <5,\i�U� n$l�?�ǯ� ���4  ��׆� <�# �9��)y7� �}���C�� �U$�w ӿ^?�=)� �7�^� ����sq�'��N$���2w}�R6� �^�T'���̪WM� ���D� ��    ����B �i ���A��x����
�M텉 [ d`����%mPN��e�Z� ����� �� Ń|��� I�G�$� z� ӥ�7�� � s�n�R�'���w㧵t� ���I ch�hg/ !��NWo� �y�~)u*��˟�> )�-� � R�9�w� �߱�)�=�� Ut��u �C��I���@�m wew};�L ���-�)#��=��=���_���� ��?�!T x�T�?��9#��@?*h�;��r�Ʉ�� �7rq��x����U�eNI ����sQ�˳��@ݴ �����=�
... (truncated)
font_00_sfnt_off0000f7e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7E8 5344 bytes
SHA-256: 9717ee9fa4001d6e9b103001363c3bfc36134347b16914c14233efc27108d614
font_01_sfnt_off00010a25.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A25 10984 bytes
SHA-256: ad8b35e63a8e5bb7c64a6ef665eeaf551674a867d3e7ad99b0e0c76264c334d0
font_02_sfnt_off00012fc9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12FC9 16660 bytes
SHA-256: 5c37151e58b57006fec45205b953024960161fc126972448518f450544b1ac12

Open this report in the interactive analyzer, or submit your own file for analysis.