Malicious PDF — malware analysis report

Static analysis result for SHA-256 0db4814246d43e94…

MALICIOUS

PDF

76.6 KB Created: 2021-03-18 16:35:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 151a43295062260ffa6a8e5464b81f32 SHA-1: 75137a7c66a866ffe5c18d7f5f4b8d876b1e1891 SHA-256: 0db4814246d43e942eef43266ea2ad3caa930d5151b1b391eb6826a316a60939
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'kuzutuzo.ru', which is likely part of a phishing or redirection scheme. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. The presence of multiple unknown URLs further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=the+lottery+by+shirley+jackson+worksheet
    • http://tixshopclub.space/dell_inspiron_530s_memory_upgrade5pg03.pdf
    • http://jodopafipunew.22web.org/93959499784.pdf
    • http://ubzvp.com/lung_cancer_guidelines_accpizmzd.pdf
    • http://reduslim-shopofficial.site/you_know_what_i_am_saying_meaning_in_hindi5lsn8.pdf
    • http://fashion-deals.xyz/nofadatudumukasolabet44uuz.pdf
    • https://static.s123-cdn-static.com/uploads/4421038/normal_5ff8ab8c76c0b.pdf
    • https://cdn-cms.f-static.net/uploads/4487187/normal_602c98d5c3fe5.pdf
    • https://cdn-cms.f-static.net/uploads/4482882/normal_6044d4e36e4cb.pdf
    • https://cdn-cms.f-static.net/uploads/4369306/normal_6036842ea5a68.pdf
    • http://copyright-central-media.com/95230120969efgik.pdf
    • https://static.s123-cdn-static.com/uploads/4475564/normal_5fefd0e0c992f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5f92fe48-79e1-4afd-ae2a-6357da66033a/luguxun.pdf
    • https://7a9095e9-4ba3-4ff7-9406-a75d0382ce8a.filesusr.com/ugd/db93e9_08f68a5641394edd97befc0579de2b9b.pdf?index=true
    • https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_5ef2ea96a161401f8a829028a6861542.pdf?index=true
    • https://314f4944-3dd9-45af-b5ee-fc7f46c963e4.filesusr.com/ugd/73cb9e_6501d4ab9f8344159e22837bc7f1baae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/22e9e0b9-79de-45a2-81fd-ab182a254d7e/little_shop_of_horrors_broadway_cast.pdf
    • https://uploads.strikinglycdn.com/files/3ef18308-0b87-4854-9324-bd4a2459794b/62721015368.pdf
    • https://2863666b-9d79-467d-9aad-9eeb6dafbdf2.filesusr.com/ugd/6ee3eb_5923aa07ebbf4265ac0e27f25003bbd5.pdf?index=true
    • http://gizugutopaf.epizy.com/loxexuzewuwixusidas.pdf
    • https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_cbe44b2346834e00a3a2ce23056fb087.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9d182d11-ba94-4dff-b348-5e52bfe30170/nakenadakagebupikad.pdf
    • https://1e1f235d-56dd-4976-b20d-d38e3fe7b172.filesusr.com/ugd/210b45_4c427f288dfc4223aa63b5d9facd0e5a.pdf?index=true
    • https://684917c6-b594-4497-9ea4-141105166a5b.filesusr.com/ugd/0dc9f5_bffbae498de7474bb4dce3809d835710.pdf?index=true
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_c69f8cdb6aa84e5986dc0a491d568edb.pdf?index=true
    • http://gejamuromina.rf.gd/autumn_leaves_sheet_music_guitar.pdf
    • http://virojokezof.rf.gd/xuwab.pdf
    • https://uploads.strikinglycdn.com/files/0cee467e-ca4d-4e17-821e-9f0288e692b9/73299272366.pdf
    • https://aefb6378-f3ca-470a-b9d2-22936542d087.filesusr.com/ugd/fe129c_388dd3a914f34fc2a74ab012778170dc.pdf?index=true
    • http://zitupelu.epizy.com/miller_thunderbolt_ac_dc_welder_parts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eecc.bin
2e901c8923a66458e09e85f7b01795b52c465e9422326d36608650e4c7492fe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEECC 5308 bytes
font_01_sfnt_off000100e9.bin
3252965f6d37406653c36a116b6d5b0a4d4af6a2dcac870075b58cd818b80527		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100E9 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.