Malicious PDF — malware analysis report

Static analysis result for SHA-256 f881da5c52e947a7…

MALICIOUS

PDF

81.2 KB Created: 2021-03-21 05:57:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dabf21eff096383f14eec2e9fea7725a SHA-1: e99bbf59e2d24a320903104c62f38db375eb3703 SHA-256: f881da5c52e947a75463d07fee115857371236b629a47b7c400688ae8ade8414
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and ML classifiers indicated a high probability of maliciousness. The heuristic PDF_SEO_LINK_FARM indicates the document contains a mass external PDF link farm, with one of the primary URLs being vilenefex.ru. This suggests the document's purpose is to direct users to potentially malicious or deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=tipos+de+%25C3%25A1ngulos+en+ingl%25C3%25A9s
    • https://cdn-cms.f-static.net/uploads/4427523/normal_6056723c8b41b.pdf
    • http://verifiedbadges-form.com/98532890935f08mv.pdf
    • https://majotowuwirup.weebly.com/uploads/1/3/5/3/135346036/b2062f.pdf
    • http://kalavar.xyz/mount_and_blade_bellum_imperii7s8h6.pdf
    • https://wuxagukokixeg.weebly.com/uploads/1/3/5/3/135398542/dasise.pdf
    • http://jerevuxo.iblogger.org/zazogilonubotur.pdf
    • http://mstmail.space/uefa_champions_league_table_standings_2020zcrrx.pdf
    • https://static.s123-cdn-static.com/uploads/4499653/normal_5feb98b549ee8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bogeguva/what_is_definition_of_community_work.pdf
    • https://uploads.strikinglycdn.com/files/6c0eeefd-fa32-4c17-80e7-901791031a18/1530640.pdf
    • http://siwufevukopi.epizy.com/sogadoza.pdf
    • https://s3.amazonaws.com/gujutavevive/kabezaturedinef.pdf
    • https://uploads.strikinglycdn.com/files/396872a4-cc2b-4398-8a09-34bb0e7d27bd/plantronics_s12_user_guide.pdf
    • https://uploads.strikinglycdn.com/files/521aa19a-e999-41fa-bed4-f5544af8efc2/lean_six_sigma_tutorial.pdf
    • https://uploads.strikinglycdn.com/files/4b108440-9c00-4859-b516-addb2bf5dd26/17902613373.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de81.bin
0a4b5c31f4257e5a2707017370dcf829c84058060820f6748bf1d2aeb2c81f0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE81 3044 bytes
font_01_sfnt_off0000e955.bin
f77657bc105723dc6f0ca2fae135b59b54eb46bca300f75551e36e37fda2def8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE955 5144 bytes
font_02_sfnt_off0000fa9d.bin
4d9eb72dd3e4a0bae1c82e58f77e89bfb8623d3595e43c24f466c62496a7c7e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA9D 11688 bytes
font_03_sfnt_off000120cf.bin
4ce97752c8d1ed0b0302a1507788019c6b738cc3ee96ca273f61f92c287db7cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120CF 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.