Malicious PDF — malware analysis report

Static analysis result for SHA-256 7322427fbb60a9c1…

MALICIOUS

PDF

76.0 KB Created: 2021-03-15 17:58:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 6aefabdcc9cb2038605e844985538f57 SHA-1: f31eb3b17fb37d550ac9517ad205950b7ebd4989 SHA-256: 7322427fbb60a9c1d58ba293aafb429620f47bf0b7884171ee3a27a509eba6a9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://kuzutuzo.ru/award?keyword=cemetery+gates+solo+tab+pdf', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to be a lure related to a 'cemetery gates solo tab pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=cemetery+gates+solo+tab+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4372681/normal_6007c03bd318f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447093/normal_5fe8cbb9236ab.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4416923/normal_5ff992228d8c3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4490724/normal_5fec264889206.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464297/normal_60278c79397a4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366350/normal_601a5a9bea6d2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464730/normal_5ffcb1a2700f6.pdfIn PDF document text
    • http://pogadai.xyz/zeniwizi88zl2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4469837/normal_600806719e8b5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465257/normal_6012872ed0419.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447253/normal_5fd1846d6134c.pdfIn PDF document text
    • http://wowitaly.space/3404909362hq7ys.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4500183/normal_5ff02c3e35a95.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385631/normal_5fd7cf0b89f71.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/degisapemifa/57756408498.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/092e862c-879c-4600-8b47-81ec6b53657c/tuzufivobumozokav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/59f4082b-1fc6-4a76-ac91-67088a853cea/xatemox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83a56a51-bb79-427d-a521-a7a891a4be8f/napupav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ef118c0-2981-49a8-b125-dd0794f843ff/how_long_is_maxcare_warranty.pdfIn PDF document text
    • https://s3.amazonaws.com/sobaketemu/55944382196.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e231.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE231 5508 bytes
SHA-256: 9a93d5a4d5990cbd8911ff7fe32bf1130d8886882127aa259a4d7096ceb29074
font_01_sfnt_off0000f4c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4C9 1800 bytes
SHA-256: a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620
font_02_sfnt_off0000fd56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD56 11020 bytes
SHA-256: d42f57fd244da70f806a34da9d9cf47336d0dd60a21afd5bf5a0a5265ff0891c

Open this report in the interactive analyzer, or submit your own file for analysis.