Malicious PDF — malware analysis report

Static analysis result for SHA-256 0be73ea7afc8a626…

MALICIOUS

PDF

76.3 KB Created: 2021-02-27 08:09:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01f2021c396eb50f3eb1d634ad8a749d SHA-1: d6ecb6937ef7f8d875c977020cb41294a175ac6b SHA-256: 0be73ea7afc8a6268d9314ee13f61a2eaf45441426f7aa5fb70a3689ee6645d1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URL pointing to 'kuzutuzo.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'Pathfinder race ability score chart' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9605

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=pathfinder+race+ability+score+chart
    • http://alexandreablog.com/what_is_a_frame_in_filmcwnei.pdf
    • https://cdn.sqhk.co/suxujaba/tQhcoIX/osim_uinfinity_user_manual.pdf
    • http://nutosuvitiraj.scienceontheweb.net/diccionario_italiano_espanol_en_linea_gratis.pdf
    • http://dressnbuy.com/389998860075xkke.pdf
    • http://desajegurake.scienceontheweb.net/razixago.pdf
    • http://steblin.pro/arjun_reddy_movie_kiss_scenesvthi0.pdf
    • https://cdn.sqhk.co/werutojij/cLgjKvo/iron_items_hsn_code.pdf
    • https://cdn.sqhk.co/delojiwuguj/jOjfihN/63834949687.pdf
    • http://vifezitenof.getenjoyment.net/76519022076.pdf
    • http://lestyprin.online/seboturubosuykosq.pdf
    • http://nowukusox.mypressonline.com/76181118565.pdf
    • http://gexomafe.mypressonline.com/3426771491.pdf
    • http://maddot.space/73185152081aoo9q.pdf
    • https://vobasonuniba.weebly.com/uploads/1/3/4/6/134668907/subesolum.pdf
    • http://stickerrus.ru/rosutevajoazet4.pdf
    • https://cdn.sqhk.co/pugirunosamo/lkiiTL7/pupifi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bajekixizosi.myartsonline.com/what_is_a_feature_story_in_agile.pdf
    • http://xinifaduzinuvu.onlinewebshop.net/citizen_eco_drive_watch_price_in_kenya.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edfc.bin
c03972b852c3d5c07493f073522aab88482fff9ffdd62d80ed8af3e05c52a6ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDFC 5352 bytes
font_01_sfnt_off00010030.bin
a947a43ded32097890270b735d77e7cec4f00cf1788688fabdc9a6613a8114d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10030 16028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.