Malicious PDF — malware analysis report

Static analysis result for SHA-256 60ebb80c84f7d886…

MALICIOUS

PDF

81.2 KB Created: 2021-03-20 07:09:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8cf8eebc4208b47634589bf4d061fd5 SHA-1: 30c237f4bd064d515acfe0d5c9aae670fd629e92 SHA-256: 60ebb80c84f7d886e34012cb79fddae986871cec358c059b8da26eef8cd0f83f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains an embedded URI pointing to 'https://kuzutuzo.ru/award?keyword=brown+tumor+of+hyperparathyroidism+pdf', suggesting a lure to a malicious site. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection indicate a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=brown+tumor+of+hyperparathyroidism+pdf
    • http://priz24.site/detowadewujedadadupabukihwrvy.pdf
    • http://item-get.top/how_to_setup_comcast_xfinity_cable_boxzspfk.pdf
    • https://cdn.sqhk.co/dikonutudibe/jibEWva/where_does_android_sdk_install_on_mac.pdf
    • https://cdn.sqhk.co/xulawajikigi/7oungfQ/jasot.pdf
    • http://blognews.top/341267430450e5xw.pdf
    • https://cdn.sqhk.co/puxolika/asdbMdU/the_aether_life_as_a_god_mod_unlocked.pdf
    • http://fodefon.getenjoyment.net/linksys_ea6500_v2_specs.pdf
    • http://navevukosuso.mypressonline.com/massachusetts_learners_permit_restrictions.pdf
    • http://ridaxaki.mywebcommunity.org/nifem.pdf
    • https://cdn.sqhk.co/xuwolegu/3jhjhig/cake_designs_simple.pdf
    • https://cdn.sqhk.co/zuzipogowita/icnjdnl/36487142238.pdf
    • https://cdn.sqhk.co/xamitarerivu/CgiOgeI/ball_maze_rotate_3d_labyrinth_puzzle_solution.pdf
    • https://cdn.sqhk.co/silinetufid/fYhe8jj/17875442849.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sefiwegegagu/my_maths_book_2b_answers.pdf
    • https://uploads.strikinglycdn.com/files/d70a48d7-7240-4ccd-908e-2fb8a888ca96/gigesukepepolos.pdf
    • https://uploads.strikinglycdn.com/files/eadb7c68-cb61-4b29-929c-285e1a62e7ad/breadman_bread_machine_manual.pdf
    • https://uploads.strikinglycdn.com/files/a91d435e-8235-4eed-a210-cbc7d421e567/clash_of_fantasy_kingdoms_heroes_war_gift_code.pdf
    • https://s3.amazonaws.com/zuvovoxigumuz/dead_by_daylight_mobile_apk_aptoide.pdf
    • https://uploads.strikinglycdn.com/files/0ca3c653-0737-43fd-8b4f-0fda8a761c02/dorewodilabo.pdf
    • https://s3.amazonaws.com/gatazeromij/contour_next_ez_price_in_pakistan.pdf
    • https://uploads.strikinglycdn.com/files/126ebce8-4259-4013-9b17-3d0ef34296e5/ruvoxemaxirozuvunojuvudi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd7f.bin
ce898396dd13e01fe415a89c594ec7413089df66ccbb09e7b997104861efca6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD7F 5492 bytes
font_01_sfnt_off00011021.bin
c6cd494cd925bdd16fb63c2d9a7b26adab2d4979571cc804e2841dc817c3d882		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11021 11444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.