Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcb7cde7c84b52d4…

MALICIOUS

PDF

74.4 KB Created: 2021-04-13 21:03:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 031a08c0b0dd116f74f3ad475e078877 SHA-1: 23b026e805a3d675826e04a7c7c6774e8dfb8f53 SHA-256: fcb7cde7c84b52d4f7a355fe29c2b5848e330ff8c0ccec437417f9ab351b4c17
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics and a machine learning classifier. It contains an embedded URL pointing to 'vilenefex.ru', which is likely used to host a malicious payload or redirect to a phishing site. The PDF structure and embedded URLs suggest an attempt to trick the user into visiting a compromised resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9819

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+use+frost+and+design+l%2527oreal
    • https://cdn.sqhk.co/bexuxoxabim/bdtjjRy/5631002581.pdf
    • https://cdn.sqhk.co/rirerujel/iicyhg7/beautiful_flower_scenery_wallpaper_download.pdf
    • http://gloslides.com/order_of_operations_decimals_worksheet8iv3e.pdf
    • http://pisufixefonof.scienceontheweb.net/breast_cancer_project.pdf
    • https://cdn.sqhk.co/wanoziku/wMie3QV/launch_trampoline_park_merrimack_nh.pdf
    • http://nupesupo.mypressonline.com/95352172876.pdf
    • https://cdn.sqhk.co/vimewiki/VJCjjih/microsoft_project_management_gantt_chart.pdf
    • https://cdn-cms.f-static.net/uploads/4371498/normal_60119c22d0ea9.pdf
    • https://cdn.sqhk.co/vakolitakap/iajaGhc/83939934826.pdf
    • https://cdn-cms.f-static.net/uploads/4466689/normal_5fd2252f56aee.pdf
    • http://mowefopovog.mywebcommunity.org/20690439241.pdf
    • http://agencymedia-ig.com/hitachi_washing_machine_sf-100xav_review11y7a.pdf
    • https://cdn-cms.f-static.net/uploads/4473947/normal_5fe9ed1d5102e.pdf
    • http://samo-katim.ru/xumovikyxo.pdf
    • http://3203epworthcres.com/oster_food_processor_instructionsp0k5f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sadoboxijowem.myartsonline.com/67518133808.pdf
    • https://uploads.strikinglycdn.com/files/f2a97ef4-e5a7-4b6f-8c3c-8b0a6201fda9/how_to_connect_pebble_watch_to_android.pdf
    • https://uploads.strikinglycdn.com/files/3c36ee91-2df0-4bce-88cb-b6c61a941054/62789755512.pdf
    • https://uploads.strikinglycdn.com/files/4d50e8d9-1e0d-4309-90c6-38afd3a38e81/sumelive.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0ff.bin
9289c60d4532b227ac87c2907d480ca3043c4a789fc76ddd18d2f0d12299300e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0FF 5160 bytes
font_01_sfnt_off000102b5.bin
5e24834d842c78735611c8845e8712d13185f5f47f1c086c8b5482eecb04de33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102B5 11152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.