Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac7ac1c750d7b3e6…

MALICIOUS

PDF

78.0 KB Created: 2021-05-19 17:43:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 230abb6ecda940f5f5a686969fd2d3a9 SHA-1: e6256660c4e76c9a9231edebfdd5b9b8b32a25b8 SHA-256: ac7ac1c750d7b3e6a568cdef192b6b98e32e49e46d98dc51fa2ea1402e791ec5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'kuzutuzo.ru', which is likely part of a phishing or malware distribution scheme. No scripts were extracted, but the presence of external URLs and the overall detection suggest a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=what+are+the+3+major+economic+systems
    • https://cdn-cms.f-static.net/uploads/4387806/normal_6063b39e4bdc1.pdf
    • https://static.s123-cdn-static.com/uploads/4414867/normal_5ff7b8dd1549f.pdf
    • https://cdn-cms.f-static.net/uploads/4465709/normal_605d81b5450ee.pdf
    • https://cdn-cms.f-static.net/uploads/4413469/normal_6016516501155.pdf
    • https://cdn-cms.f-static.net/uploads/4393180/normal_6043840aeb38e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fogibi/6th_grade_algebraic_expressions_word_problems_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/d6993e51-bb74-4571-96fe-e094a88a2ee5/truck_transportation_merit_badge.pdf
    • https://s3.amazonaws.com/bipepezuwed/kana_kanum_kalangal_song_ringtone.pdf
    • https://uploads.strikinglycdn.com/files/caaf752d-204f-47e8-b32a-03d2292f64a0/stephen_king_the_mist_netflix.pdf
    • https://uploads.strikinglycdn.com/files/21f9c1fa-195d-46ec-bb2d-a9f4e2e7b6e0/nedosafe.pdf
    • https://uploads.strikinglycdn.com/files/b7c6da6e-8fbd-472a-b5f8-6cf07d795326/why_is_my_hotspot_not_working_on_straight_talk.pdf
    • https://s3.amazonaws.com/fekife/betukusuzerewenafoxag.pdf
    • https://uploads.strikinglycdn.com/files/52eb43f7-bab6-48f7-9971-f66565361c5f/84412083663.pdf
    • https://uploads.strikinglycdn.com/files/12e6f62a-af82-4337-bd9d-b55beaf3ac3a/how_to_replace_a_lost_ebt_card.pdf
    • https://uploads.strikinglycdn.com/files/8db8c7bc-044f-4c58-b87a-f18e5116d6e7/how_to_turn_on_a_logitech_wireless_keyboard_mk320.pdf
    • https://uploads.strikinglycdn.com/files/12f56cda-9cf4-4c19-93d5-0e65f525ea45/call_of_cthulhu_d20_portugues.pdf
    • https://uploads.strikinglycdn.com/files/d3235b0d-c22b-4c94-b9cb-3050342cd8ce/what_is_the_scariest_short_story_youve_ever_read.pdf
    • https://uploads.strikinglycdn.com/files/5237bb4d-7e0c-43b6-8b94-3d25dc2eb264/5483957197.pdf
    • https://s3.amazonaws.com/dixaleko/69231152264.pdf
    • https://s3.amazonaws.com/lizuseguwix/jibumefepugibodiropes.pdf
    • https://s3.amazonaws.com/nodetuxapabara/76777870793.pdf
    • https://uploads.strikinglycdn.com/files/58bae9ff-5652-4ff7-a237-2f6b03803969/vanujasekafajutiw.pdf
    • https://s3.amazonaws.com/lowebemuwojiso/48834722304.pdf
    • https://s3.amazonaws.com/padosumifubobo/viva_water_dispenser_spare_parts.pdf
    • https://s3.amazonaws.com/babetafaperaxov/33937148996.pdf
    • https://uploads.strikinglycdn.com/files/d5736a71-2d81-48d7-9fde-a226fa1bf1b5/37209651074.pdf
    • https://s3.amazonaws.com/wamatasamegu/summary_mary_rowlandson_captivity_narrative.pdf
    • https://uploads.strikinglycdn.com/files/b5e46437-a733-447a-889b-6e1de284a4bf/8967396897.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f119.bin
8f329c09a627e4d987b0dc0eec4a859a267745436724b48308fd3557f5b4617a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF119 5360 bytes
font_01_sfnt_off00010341.bin
f3cc52b8d48d9d733decf901067416ac8d0b16244e61ebf374761893a0ec2208		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10341 11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.