Malicious PDF — malware analysis report

Static analysis result for SHA-256 09165d1ca9b23a61…

MALICIOUS

PDF

81.5 KB Created: 2021-04-29 22:56:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 600e5dcfd6fd263e73d1068d25de350b SHA-1: 92fe5e680579b63a69016fff1b691bdd529018cf SHA-256: 09165d1ca9b23a615716d58edc2b2b353c37291ea21cc23b3cfc6515bcbbdf17
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is part of a link farm and is flagged as malicious by ML classifiers and ClamAV. The document body, though partially garbled, suggests a lure related to a 'Samsung front loader washing machine error code'. The presence of external URIs, particularly one pointing to 'kuzutuzo.ru', strongly suggests a phishing or redirection attempt. No scripts were extracted, but the overall structure and heuristics point to a malicious document designed to lead users to external, potentially harmful, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=samsung+front+loader+washing+machine+error+code+3e PDF link annotation
    • https://cdn.sqhk.co/bitaxukezor/Vjifuam/ice_age_adventures_mod.pdfIn PDF document text
    • https://kowizonijate.weebly.com/uploads/1/3/5/9/135991151/wigasuzewoviwubetaba.pdfIn PDF document text
    • https://cdn.sqhk.co/lawafopugu/aNhfhhF/xaboz.pdfIn PDF document text
    • https://cdn.sqhk.co/puroneruk/ahfUPO6/comment_avoir_toca_hair_salon_3_gratuit_ios.pdfIn PDF document text
    • https://cdn.sqhk.co/febowozefu/jegeJig/3dlut_mobile_apk_free_download.pdfIn PDF document text
    • https://ziwagunu.weebly.com/uploads/1/3/4/8/134883986/423946ae.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/baxekojojexusol/exemple_de_biographie_professionnelle_courte.pdfIn PDF document text
    • https://s3.amazonaws.com/kubedukowug/cbi_officer_south_movie.pdfIn PDF document text
    • https://s3.amazonaws.com/muwomapotumugi/40328004863.pdfIn PDF document text
    • https://s3.amazonaws.com/xajowu/alexander_hamilton_ron_chernow_audiobook_free.pdfIn PDF document text
    • https://5e54d98c-4257-4cc7-9010-48f3df296eb2.filesusr.com/ugd/05240c_7dbdf8cefbea4f4c87a103a765bc0f99.pdf?index=trueIn PDF document text
    • https://0ac950e2-707a-4e47-8bf4-daface0ea9db.filesusr.com/ugd/356f11_0e7957d3a2664c728e1eabbae200be03.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/wavunot/rawuxirilevepepovofa.pdfIn PDF document text
    • https://0a37a3d5-a0bf-4e77-8ff5-6127fd08aefa.filesusr.com/ugd/6046c9_2495be4dd3204dd6a22d04a84a1ed466.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/leteraxewe/relotixexozafavalak.pdfIn PDF document text
    • https://s3.amazonaws.com/geradi/vemifositumijovenidu.pdfIn PDF document text
    • https://s3.amazonaws.com/kotodur/vodojula.pdfIn PDF document text
    • https://s3.amazonaws.com/wifiduxezo/molunamipufibugur.pdfIn PDF document text
    • https://s3.amazonaws.com/bivanud/spreadsheet_compare_2016_microsoft.pdfIn PDF document text
    • https://s3.amazonaws.com/fixararololu/use_sony_rx100_ii_as_webcam.pdfIn PDF document text
    • https://4c72699b-aa2e-4dc8-8bd5-1a54e8f938a6.filesusr.com/ugd/f3cb45_4dbd6dcb339144c3877867d7bf6e4c90.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mokixetat/selafesofafifimebupi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fafc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAFC 5796 bytes
SHA-256: 28e9f9f4e7bf300035b62b82a6f1d00658f3089aa6aaaaafac27cf935f40a068
font_01_sfnt_off00010ea0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10EA0 12156 bytes
SHA-256: dcb37ea9930a1e92a4e3fb9fdfc38353af3adf6df5f3ba01a03b991f8f40b2f7

Open this report in the interactive analyzer, or submit your own file for analysis.