Malicious PDF — malware analysis report

Static analysis result for SHA-256 ede01af18aa18e1b…

MALICIOUS

PDF

102.3 KB Created: 2021-03-22 09:28:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31774d61233c8de8cf50f12e7a9dcfc1 SHA-1: 294256c15b9143897b247b4f0da4befe015ff7ec SHA-256: ede01af18aa18e1b567194e329bef57397275a94c092b4178639305bd7b436ca
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to 'vilenefex.ru' which is presented as a Peugeot Boxer owner's manual, indicating a social engineering lure. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=peugeot+boxer+owners+manual
    • http://workshop-fb.ru/how_much_does_dialectical_behavior_therapy_costky0x1.pdf
    • https://vepiniripalur.weebly.com/uploads/1/3/4/2/134235349/e361b9.pdf
    • http://babbieshop.ru/persuasive_speech_topics_for_college_students_20176gils.pdf
    • http://xtrading.buzz/test_power_supply_without_pc60awj.pdf
    • http://dreabling.online/multiplying_fractions_word_problem_worksheet5uqcw.pdf
    • http://ompala.store/64530908631zc33d.pdf
    • http://detonic-ordina.website/5023994709zowfq.pdf
    • http://svoydvalend.xyz/fajinovopilaradetr73se.pdf
    • https://monezoxikaxusoj.weebly.com/uploads/1/3/1/4/131453753/kujugapebo-wowikuxogozuj.pdf
    • http://psyhologrzn.ru/how_to_reboot_verizon_fios_router_remotelymamws.pdf
    • http://italia-doc.space/product_game_board7fm81.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8be6f9dd-7da1-43e5-8819-cc6aaae3b1f2/wonoj.pdf
    • http://dozonexupiwef.epizy.com/58898490393.pdf
    • https://uploads.strikinglycdn.com/files/a30f02e8-2771-4ab0-bb9f-886df2f74055/wolidefagusevunumuk.pdf
    • http://tapimezekuboj.rf.gd/what_does_service_b_due_mean_on_a_mercedes.pdf
    • https://uploads.strikinglycdn.com/files/330ff708-a5e0-42cf-8fb0-3b6f39348e78/hindi_alphabet_audio_songs_dj.pdf
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_fc3c425959a64f2fbdf43af4142db3c6.pdf?index=true
    • https://18e7ef82-5c75-44fe-ae22-4c356c2c9ce0.filesusr.com/ugd/749e61_b4b3baeb95ab4f9e9da797a5ebcb673f.pdf?index=true
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_a8e86256ca04496497b374ba9d72b797.pdf?index=true
    • https://uploads.strikinglycdn.com/files/23dd0cae-adaf-4cbf-88bd-0fc04dbf7414/sat_math_questions_by_topic.pdf
    • https://203e60c5-e32a-4587-ab6d-31d66de6d5b9.filesusr.com/ugd/014c36_5bc4a39cbfd14d6fa4b58702ee365e53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00016892.bin
ca9abd57a3226726a7e81e2fbb292144124e1221ae4d989be93b1ad22016209d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16892 20696 bytes
font_00_sfnt_off00010139.bin
ec00f36766e348ff10e93c3122be763f5c004296ec0f704a2cd2e48e130eb5ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10139 8316 bytes
font_01_sfnt_off00011cff.bin
b0bd2ec8b7ab4301fcf7c43537e06e34627ceb5d310ddbd923ef0aa71385b53c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CFF 5304 bytes
font_02_sfnt_off00012f0c.bin
c4ab610b13fb5683a2ad09ddfafb5801e508fca40fbdcfc3096e2576b6c9093d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F0C 20760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.