Malicious PDF — malware analysis report

Static analysis result for SHA-256 49d2208667defe53…

MALICIOUS

PDF

89.8 KB Created: 2021-03-23 15:57:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 26503d8514ee0dba4050ba5c832c0c70 SHA-1: b99ba62ae04e0327ebd9b8be225fe6ac884c3ae3 SHA-256: 49d2208667defe53d2337a661347a0a75b0a39836a2814d850d693116a53459c
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple external URIs, with a primary focus on 'https://kuzutuzo.ru/wix?keyword=bk+package+disabler+extension+apk'. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. The document body, though truncated, suggests a lure related to 'Bk package disabler extension apk', reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=bk+package+disabler+extension+apk
    • https://cdn-cms.f-static.net/uploads/4390663/normal_603e3380bfa07.pdf
    • https://cdn-cms.f-static.net/uploads/4415518/normal_60244938cefc2.pdf
    • http://medicalpracticementor.com/naruto_shippuden_ultimate_ninja_impact_psp_romsmania5nj1f.pdf
    • http://circulshtangcalip.website/35015238382kll6v.pdf
    • http://fewudutizoxom.medianewsonline.com/tesexiv.pdf
    • http://xulubapatoso.scienceontheweb.net/harvard_classics_shelf_of_fiction.pdf
    • https://cdn-cms.f-static.net/uploads/4367007/normal_6030caeb90ae4.pdf
    • https://cdn-cms.f-static.net/uploads/4485587/normal_600eae43391c1.pdf
    • http://nunovoxiwanafuz.getenjoyment.net/nafapuzitufovosatofebokab.pdf
    • http://vashe-zdorovie.xyz/jungle_escape_jungle_runuvmn0.pdf
    • http://bamefidev.mygamesonline.org/kcse_biology_past_papers.pdf
    • http://gnatural.space/4169287553uvsle.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://28546a20-d0cc-4b82-bb4f-6711990cd5a3.filesusr.com/ugd/0bcf16_497faacbaa174c83a6c4aeb48f24d36e.pdf?index=true
    • https://a3de454e-1598-42bb-a259-4eb69c42f179.filesusr.com/ugd/fb5067_ed1a0178325b42af815476cb05926b52.pdf?index=true
    • https://s3.amazonaws.com/gogunabones/21488685018.pdf
    • https://30fe55a9-f0c7-4aec-9bf5-b9d2225d99a8.filesusr.com/ugd/c4a51e_5bca855a19f74d00beaf6180766eb225.pdf?index=true
    • https://c3373aeb-ed74-4f2d-b631-fa679e0a3f6f.filesusr.com/ugd/cbe7f7_f8bf1c29831040cda47e1c2b5513dad0.pdf?index=true
    • http://refusunono.onlinewebshop.net/grade_5_math_practice_workbook.pdf
    • https://s3.amazonaws.com/bokofapig/whirlpool_washing_machine_automatic_manual.pdf
    • https://c4647614-9ff8-4b00-b819-08dc938bd166.filesusr.com/ugd/5d3f24_4aea182ac5124e94a2993c59c75555df.pdf?index=true
    • https://s3.amazonaws.com/legipalofi/inkling_boy_hat_template.pdf
    • https://s3.amazonaws.com/zulezov/malwarebytes_portable_2019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109c9.bin
80393deedb4bba6ea45e0148d9aa1eb1bcbe6eec282cdaf4bc668ea58bee2fda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109C9 5560 bytes
font_01_sfnt_off00011cc0.bin
18e101d08a2c6db7b35172f03f90ed93780f2d971e08e9a5f4af368484184069		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CC0 11236 bytes
font_02_sfnt_off0001439e.bin
80f5367dd1e306e1abebbe5f3deab1dd3563290e1d7aa0807afa068fa506e03d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1439E 16244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.