Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d3a381206a9c1e2…

MALICIOUS

PDF

78.3 KB Created: 2021-03-24 16:58:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aafe88c5476d4794c30b01eb30260883 SHA-1: d00ead643c3c0332070463d528c465e74ed4845c SHA-256: 9d3a381206a9c1e2d65e6bce47bbaa2c956540245d46f3c9abe8858dfca85531
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to 'kuzutuzo.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, suggests a lure related to educational content ('periodic table of elements worksheet'). No scripts were extracted, but the presence of external URIs and the nature of the detection suggest it's designed to lead the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=periodic+table+of+elements+with+names+and+symbols+worksheet
    • http://rte-ita.fun/548546535593v369.pdf
    • http://thedefenseforge.com/pumezupijbb2a7.pdf
    • https://static.s123-cdn-static.com/uploads/4381551/normal_5feb9e6456f20.pdf
    • http://com-signto5.xyz/39759915801l2xno.pdf
    • https://cdn-cms.f-static.net/uploads/4501810/normal_603144e991052.pdf
    • http://copyrightsupportforlnstagram.com/74685827443tia8h.pdf
    • https://cdn-cms.f-static.net/uploads/4418166/normal_603f7fed8ff3e.pdf
    • http://nesobaka3.xyz/the_choice_nicholas_sparks_quotesvvs8j.pdf
    • http://azorocheat6.xyz/324373442127f7x0.pdf
    • https://cdn-cms.f-static.net/uploads/4477387/normal_604a6466f362b.pdf
    • http://vezerfa.xyz/aloha_movie_300mb7xk9i.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xamibudasagas/vugemolelasozabo.pdf
    • https://s3.amazonaws.com/napejaxosinages/fafizubotewowabopuxami.pdf
    • https://s3.amazonaws.com/jawusawar/how_to_winterize_hunter_src_plus_sprinkler_system.pdf
    • https://uploads.strikinglycdn.com/files/739b8bd0-a670-4e9a-8438-27959df19049/wix_multiple_email_accounts.pdf
    • https://uploads.strikinglycdn.com/files/57856c6b-0938-4913-a18e-d257aa0e974d/72972986664.pdf
    • https://s3.amazonaws.com/makumapikeze/nefaranowataxuwifaror.pdf
    • https://s3.amazonaws.com/wewiro/celebrate_recovery_principle_4_step_4.pdf
    • https://s3.amazonaws.com/sumesawoxajew/gizag.pdf
    • https://s3.amazonaws.com/lopadivupudexa/44160240714.pdf
    • https://uploads.strikinglycdn.com/files/66959978-16c9-4423-aa5f-ab56fd0b5980/ratios_and_proportional_relationships_7th_grade_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/60df525d-1045-4e26-b21f-b9290895afd2/does_dominos_put_msg_in_their_food.pdf
    • https://s3.amazonaws.com/baposivarabuj/characterization_worksheet_3_answers_key.pdf
    • https://s3.amazonaws.com/jigezilor/jesufopirazotitemetora.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f231.bin
ed3cbd4f6bc73085c3eace0d2b218a13341694570e30422756a87fdf9e8ffe3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF231 5660 bytes
font_01_sfnt_off00010558.bin
45b889d30dca1799ff9674f95c760ce5a87a8bb569a63a38c6b4602302c24aed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10558 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.