Malicious PDF — malware analysis report

Static analysis result for SHA-256 50443cae9eab77d9…

MALICIOUS

PDF

72.7 KB Created: 2021-03-28 12:58:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a3584073b2faf351c4d8a6aa5585cef SHA-1: 7b07f7a96bd20dbebaff52c3de7751f9facfc166 SHA-256: 50443cae9eab77d90dd519a55cf546a5b550c460b7ab6ddc86ae84c90741d8b3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The presence of an external URI pointing to 'kuzutuzo.ru' suggests a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a social engineering attack designed to trick users into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=diccionario+biblico+pdf+ilustrado
    • https://murimuwisoruda.weebly.com/uploads/1/3/4/0/134017177/gozalux.pdf
    • https://cdn.sqhk.co/gidenateg/hagfgeW/reaction_screen_recorder_reaction_cam_video_maker.pdf
    • https://cdn.sqhk.co/fewesiwe/hbKhbIJ/zomimex.pdf
    • https://cdn-cms.f-static.net/uploads/4450440/normal_6021ec368ce9f.pdf
    • https://cdn-cms.f-static.net/uploads/4491926/normal_6049084eb1c73.pdf
    • https://cdn.sqhk.co/buxifuludo/yjjgd6r/mcat_2021_dates_twitter.pdf
    • https://cdn-cms.f-static.net/uploads/4465701/normal_604f23fef2344.pdf
    • https://pezojafabeton.weebly.com/uploads/1/3/4/4/134402057/visaliguwogo.pdf
    • https://cdn-cms.f-static.net/uploads/4454302/normal_6021a5eed1778.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/feseni/formatting_excel_spreadsheets.pdf
    • https://d78d2789-9aef-4bfd-88be-9093bec910ef.filesusr.com/ugd/87a178_78b7d55afc8a437fb185b08bbb786fd5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d1935755-1e91-4969-9243-9cfe77b14fb7/is_server_boosting_worth_it_reddit.pdf
    • https://584abdf6-e408-48d3-a53c-4313a8f82471.filesusr.com/ugd/18ee90_0a27604e13114d59979742fa54b2ce88.pdf?index=true
    • https://s3.amazonaws.com/xozeb/nejafivinulugobebulilume.pdf
    • https://c31d65df-273c-4bcc-acfb-7b03b0724b99.filesusr.com/ugd/e7e4a0_028039bdb8cd4cadab9efb3e2846e4ce.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e0d80863-8e80-4049-8e15-ce80ca5ae28f/are_old_swatch_watches_valuable.pdf
    • https://uploads.strikinglycdn.com/files/eaa0372c-1ec0-4f4e-9992-ab124c46e3c5/7174443274.pdf
    • https://uploads.strikinglycdn.com/files/c3b9ca99-dbab-47fe-829b-8d9f7a2ac1d4/short_i_love_you_poems_for_him_from_the_heart.pdf
    • https://uploads.strikinglycdn.com/files/ee8b6250-004e-48c7-a71e-f717e7199988/dell_latitude_e5500_service_manual.pdf
    • https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_fa1ccaca973a4691909b17016914f319.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db39.bin
5d577495c8d10ce6f934e47074089ef86a7c5ee853cf26f7cadb2524ae4446bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB39 5288 bytes
font_01_sfnt_off0000ed43.bin
bdad7165f36e4e7f785ac944c07eecf485c70f81c8441f03b48c2e8df2c8e2bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED43 11956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.