Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f7bdbc6d1064ae4…

MALICIOUS

PDF

78.6 KB Created: 2021-03-09 12:13:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0da42f2d3f366d6f2f6447470d0a4207 SHA-1: d13c12023b7fba290785fb110392d3143fd17d9a SHA-256: 8f7bdbc6d1064ae4c89099fd39759d86ee1ea3a5553dda3c2e0ff90cf37a840b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, with one prominent URL pointing to a suspicious domain ('kuzutuzo.ru') and containing terms related to game keys, suggesting a lure. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is part of a link farm on disposable hosting, further supporting a malicious intent to redirect users. The presence of a 'download button' lure and a 'callback lure' heuristic also points towards social engineering tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=cd+key+cs+1.6+steam+gratis
    • https://static.s123-cdn-static.com/uploads/4459796/normal_5ffd052b71e27.pdf
    • https://cdn.sqhk.co/waxobakal/hFuJWo5/vowuwagimukegabimasizepiz.pdf
    • https://cdn-cms.f-static.net/uploads/4459631/normal_60443d738974a.pdf
    • https://cdn.sqhk.co/bisegepamitu/ghh2ibb/tadebobik.pdf
    • http://konujojijitezu.iblogger.org/77922659976.pdf
    • https://cdn.sqhk.co/berirenike/gfojeFh/75236237895.pdf
    • https://cdn-cms.f-static.net/uploads/4372740/normal_603271f907fa9.pdf
    • https://cdn.sqhk.co/tasaxasup/fjehblj/deemo_reborn_psvr.pdf
    • https://static.s123-cdn-static.com/uploads/4444370/normal_5feef3a9acce3.pdf
    • http://sdfsdfsdf.shaketorch.com/wd_my_cloud_mirror_raid_setup.pdf
    • http://zomuregunaradu.iblogger.org/xasavorujuzuzemepuba.pdf
    • https://cdn.sqhk.co/vapatibu/jgf2hhX/tajotemigad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5a6df620-610b-4d6f-8f1b-71e936bb70bc.filesusr.com/ugd/1f5cef_77650d0374ca4cc2b9e1cc19a6e6f1a7.pdf?index=true
    • http://wuliwopiveti.rf.gd/how_long_do_trane_furnaces_last.pdf
    • https://3e1d1bad-f645-4ebd-ac75-469e7ff7c972.filesusr.com/ugd/e745be_89f00ef7032a4c859c065621be956296.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e10188f0-a586-4ed8-87aa-6c0d0b8e6752/the_complete_japanese_joinery_download.pdf
    • https://uploads.strikinglycdn.com/files/0145d2b6-1da5-40a5-9593-69c7e0cca7bc/24727573828.pdf
    • http://puwagof.rf.gd/canadian_passport_renewal_form_print.pdf
    • https://uploads.strikinglycdn.com/files/c7045f7b-cc78-46a3-88c8-eea0b44812ea/waxebuzifevewowevosusabo.pdf
    • http://logururud.epizy.com/bruker_d2_phaser.pdf
    • https://uploads.strikinglycdn.com/files/2094af30-be61-49c9-a7a9-ddbc539200e3/sony_icd-px440_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f07d.bin
9583cb7305d46513eda0757deed6724c1e321102ddcf829d9d2e4f0b4eaeca84		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF07D 5536 bytes
font_01_sfnt_off0001034d.bin
83df6e2eabf9fdcee8b9babb2af60c8bb3bf838ccc2b2fe1fccf57aa56c9ca94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1034D 13148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.