Malicious PDF — malware analysis report

Static analysis result for SHA-256 954d1f7ec39a0f96…

MALICIOUS

PDF

69.2 KB Created: 2021-04-03 18:42:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c87c39d37afe3834e67ce4eaf502783d SHA-1: 1f12129f1c95a6ec4e0c55360b5fe3d05edbcbd7 SHA-256: 954d1f7ec39a0f96fbea8c933bae217242657176318719548df5f50977df4fb2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'lozipotod.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, contains metadata related to its creation, suggesting it was generated programmatically to host or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=auto+shop+manuals+online
    • http://worelimupuvefam.mywebcommunity.org/47531111316.pdf
    • http://favodokoleti.mypressonline.com/white_hot_kiss_book.pdf
    • http://zovitidagawas.sportsontheweb.net/state_employees_credit_union_login_north_carolina.pdf
    • http://rutekotugu.22web.org/gmail_for_windows_8_free.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bezutu/binipefamisikubafib.pdf
    • https://0f3c41ac-de96-4ba7-a517-026d7435d592.filesusr.com/ugd/8631de_2fdca0cadff14b298ed175ad8365ad68.pdf?index=true
    • https://72cee60b-533f-4fda-9f40-87b1bb6f0553.filesusr.com/ugd/590778_a20febd2b7a7453d8c31736c12bf9d77.pdf?index=true
    • http://revulagolorer.epizy.com/80514681526.pdf
    • https://s3.amazonaws.com/kimone/fuvotikesasufa.pdf
    • https://ecf8b3bd-8201-449f-a39c-156acd88681e.filesusr.com/ugd/97634b_f491ae7cc7ce48d7a9e7a03a22eacd28.pdf?index=true
    • https://a001dc82-f31e-4944-9b76-0a8e602b6855.filesusr.com/ugd/e4ee87_444b4fe68a984d75b8eb8135bdfda059.pdf?index=true
    • http://xipisageju.epizy.com/52590704430.pdf
    • https://s3.amazonaws.com/zolerazowubow/somaxozusibibizi.pdf
    • http://zuvujivir.rf.gd/cracking_the_coding_interview_8th.pdf
    • http://luvabokinoleg.onlinewebshop.net/lipid_metabolism.pdf
    • http://ziketikivanodiw.epizy.com/free_excel_budget_spreadsheet_monthly.pdf
    • http://banines.rf.gd/cambridge_checkpoint_science_revision_notes.pdf
    • http://rukosivujuxu.atwebpages.com/halleys_bible_handbook_henry_h_halley_download.pdf
    • https://8c56b32b-3398-45d6-9c0b-b55146621f16.filesusr.com/ugd/6924eb_b165a4ea48a04a05950fea92699a60c7.pdf?index=true
    • https://78151a86-a557-4e49-81aa-a2539eea45c7.filesusr.com/ugd/204f4f_59602598bae34d1abeb06f20b9065d14.pdf?index=true
    • https://dd3a609d-fcd9-461e-ae06-f7e9ec6f332d.filesusr.com/ugd/811c3f_64edf122f44d4a89b964c088c386ae6b.pdf?index=true
    • http://puwokamavureme.rf.gd/wibitemokovo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3be.bin
382581cc6f0821a8897f05f2a31a852783cb87677a5ae8517ffe0491aa40f0ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3BE 4952 bytes
font_01_sfnt_off0000e471.bin
5a83c6dce508d67c0279f5f37bb6f13bceb44cc5d55d60fc643ba7cfbafca67d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE471 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.