Malicious PDF — malware analysis report

Static analysis result for SHA-256 25c43f701f1f5270…

MALICIOUS

PDF

76.0 KB Created: 2021-04-01 08:44:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 069b0afd23dab617d935d97b3741716e SHA-1: 759f975f5d45a0a675939652e9e28e48510ba573 SHA-256: 25c43f701f1f527004bcc9083acf38c17d61802027bca0f69482f8ec37c4ccf2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'lozipotod.ru', which is likely the primary malicious destination. The document body, though heavily obfuscated, suggests a lure related to a 'selection test'. No scripts were extracted, but the presence of external URIs and the overall detection profile indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9599

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=what+to+the+slave+is+the+fourth+of+july+selection+test
    • http://italylife.pro/masonry_heater_plansozg8j.pdf
    • http://lifolibi.sportsontheweb.net/what_are_the_pros_and_cons_of_tidal_energy.pdf
    • http://megalit-korolev.ru/what_rifle_does_the_silent_drill_team_use7xtw8.pdf
    • http://falorilipeb.mywebcommunity.org/riwujulawodakimusogo.pdf
    • http://sunufosabupes.scienceontheweb.net/rojuzuka.pdf
    • http://memiwuv.mygamesonline.org/kibexegefajiwikakusar.pdf
    • http://praktika-ingenieur.com/482287599245npvp.pdf
    • http://fragcups.com/12_times_tables_chartfk6us.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zedilegol/kiforaxes.pdf
    • https://s3.amazonaws.com/risisipajole/dr_stone_episode_guide_wiki.pdf
    • https://uploads.strikinglycdn.com/files/360006b5-69d3-4178-b531-db6f714ea8c5/how_to_fix_led_tv_with_sound_but_no_picture.pdf
    • https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_f6fff3c9c604454a904c945ce70cb783.pdf?index=true
    • https://aa514bbb-a96e-4bc9-8ff3-0ca2edd1104f.filesusr.com/ugd/3fc21f_c8957b2e70014e2dbd75c3bad1d95a9a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/68e90c17-a955-447c-ad2d-40c1cd774f1f/rudijojuva.pdf
    • https://uploads.strikinglycdn.com/files/582e75e2-2fcf-4dc8-9e25-2865842f9bb4/how_to_make_cracked_minecraft_server_1.15_2.pdf
    • https://9d50af6f-dbf7-41ba-b854-83985329a12b.filesusr.com/ugd/33c377_0efa2deb1a8e44c58bce89f5c161f9d2.pdf?index=true
    • https://e1cf253b-b3af-4135-a675-1c3c021177f9.filesusr.com/ugd/111c46_ccee145981314a23a0f88b258fc0ca4a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7de9511c-7920-474b-84f2-3cd808f7f4ce/fozupuxutenixuvobawitado.pdf
    • https://e905a76e-7bc1-418c-be29-e8eda1603e86.filesusr.com/ugd/3fb32a_4de4685c7e034bf398c3660764f5d116.pdf?index=true
    • https://4dd4a32c-aced-41d2-87e6-7ff9ca8080d7.filesusr.com/ugd/6d6f33_a03ecafefdbe49bbb628a9cd5f525bbc.pdf?index=true
    • https://4fe85328-8dbf-40e9-afa8-2c8d6ff8a9c8.filesusr.com/ugd/9c0842_ede84be41aaf4b6383ce94526daf13ea.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b1fc2621-0477-4e09-9466-2e099ea3b603/danufofaratorujon.pdf
    • https://s3.amazonaws.com/tikofaketonub/fejegujobenapife.pdf
    • https://s3.amazonaws.com/xufaxoferugod/3d_paint_for_windows_10.pdf
    • https://s3.amazonaws.com/falejogajir/29506483569.pdf
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_9b9d5d6e97e342b98b5da7d9b9d7e876.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f987.bin
46a5d5779d04523cff7af1a01be369f6647952b62a27a0af5a1c8c3e1705482c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF987 5220 bytes
font_01_sfnt_off00010b5e.bin
70235b61a573ddefab879fdc9443f7492ccd194e566f49bcbada4cd2f885e70c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B5E 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.