Malicious PDF — malware analysis report

Static analysis result for SHA-256 61993aa2ca7f7b2e…

MALICIOUS

PDF

77.5 KB Created: 2021-03-09 21:44:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 820591661bcc56b9c0fcd94fe069afc8 SHA-1: c922736ff1c813903e9f26f45182ff2133e85160 SHA-256: 61993aa2ca7f7b2e0e3bc25cf884bf2b957e0cd84188cda09bdea85f8e0be436
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'kuzutuzo.ru', which is likely part of a phishing or credential harvesting scheme. The document's structure and embedded URLs suggest it is designed to trick users into visiting a malicious site under the guise of providing salary information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=cloud+computing+developer+salary+in+india
    • https://sanepawoja.weebly.com/uploads/1/3/4/5/134579143/wuzubuketijef_ledor_xatakulob_gujemeki.pdf
    • https://xozejobe.weebly.com/uploads/1/3/1/4/131406614/tugifazuwudi.pdf
    • https://cdn-cms.f-static.net/uploads/4389804/normal_5fe625de3c6e4.pdf
    • https://cdn-cms.f-static.net/uploads/4465263/normal_6039f2e2ea329.pdf
    • https://ramakizuwag.weebly.com/uploads/1/3/4/3/134321509/ziduzugusab.pdf
    • https://static.s123-cdn-static.com/uploads/4408865/normal_5ff21774bc1ea.pdf
    • https://wegonugu.weebly.com/uploads/1/3/4/0/134040733/bunepaliwewufax.pdf
    • https://cdn-cms.f-static.net/uploads/4458148/normal_6027c5d31c7e9.pdf
    • https://logekififej.weebly.com/uploads/1/3/4/5/134502341/wopiwafu-vodebivutigu.pdf
    • https://tesujirigagorin.weebly.com/uploads/1/3/4/8/134869290/ziwisira.pdf
    • http://likefetevu.getenjoyment.net/denuvututomosu.pdf
    • http://pojebanidik.mywebcommunity.org/define_realistic_conventions_in_drama.pdf
    • https://garegijewavib.weebly.com/uploads/1/3/4/3/134389285/c580ef12.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/792b1bfb-b43f-4c0d-b9d6-42a802bdc95f/what_is_the_best_topic_for_couples.pdf
    • http://bajekixizosi.myartsonline.com/astm_e1444_free_download.pdf
    • https://uploads.strikinglycdn.com/files/d2346079-e745-4384-a994-27cd5f2ca51d/35723461504.pdf
    • http://nujugeteteda.myartsonline.com/john_deere_2653a_owners_manual.pdf
    • https://s3.amazonaws.com/dinilederu/renakodatewajujata.pdf
    • https://s3.amazonaws.com/dinigugaxej/online_battle_royale_games.pdf
    • https://uploads.strikinglycdn.com/files/e6c89ec5-7714-4f0a-a47a-b15b64e05f6a/maytag_neptune_front_load_washer_error_code_e3.pdf
    • https://uploads.strikinglycdn.com/files/5b8fa69b-47b9-4813-9ec1-e379a52cb95b/43972372430.pdf
    • https://s3.amazonaws.com/mamibis/airscreen_apk_full_cracked.pdf
    • https://s3.amazonaws.com/potamotaz/jegelifev.pdf
    • https://s3.amazonaws.com/zaxawetawupo/63592056184.pdf
    • http://makakanow.onlinewebshop.net/3979686900.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efe5.bin
1a2791330f2379dd380b2b666088c38f9822196b924696bc5d7ab2466eb9de2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFE5 5460 bytes
font_01_sfnt_off0001026c.bin
ff1cb5e6abec64749be9335a15791cb15730a296d344d21c8b6a676e1e3a2644		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1026C 11136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.