Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba9bae255f414f01…

MALICIOUS

PDF

116.8 KB Created: 2021-05-08 17:40:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82468153ff58902f2d86b2a098c323b7 SHA-1: dd6ff0d16046991b5f85460bb3e2ea8cf9643e35 SHA-256: ba9bae255f414f01a38b302276e01dd431b29be5e1985f7e59d3840019cd38ee
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of an advance-fee scam. It contains numerous external links, including one to 'kuzutuzo.ru', suggesting an attempt to redirect users to malicious websites. The document body, though heavily obfuscated, appears to be a lure related to a biography, likely to trick users into clicking the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=ernest+hemingway+biography+a+life+of+love+and+loss
    • https://fabuduviwanor.weebly.com/uploads/1/3/4/7/134739750/6422891.pdf
    • https://vidiguwases.weebly.com/uploads/1/3/4/3/134347373/4fa0447a6.pdf
    • https://vimexizud.weebly.com/uploads/1/3/4/7/134755563/944a1093760.pdf
    • https://somotudodij.weebly.com/uploads/1/3/4/6/134699902/411158.pdf
    • http://koxelovanalimu.getenjoyment.net/19234897011.pdf
    • https://teniroge.weebly.com/uploads/1/3/4/6/134693228/397216.pdf
    • https://mebedepubini.weebly.com/uploads/1/3/0/8/130813558/risijadufilin.pdf
    • https://wulodegekejiwa.weebly.com/uploads/1/3/4/2/134266030/xufus_vukipemib_jozebimobeno_guzide.pdf
    • https://doxezudira.weebly.com/uploads/1/3/0/7/130739714/jariwiwagevuki.pdf
    • http://barajofa.mywebcommunity.org/how_do_i_change_the_pin_on_my_chamberlain_garage_door_keypad.pdf
    • https://derovidexaw.weebly.com/uploads/1/3/1/3/131382126/1061516.pdf
    • https://toxobeveja.weebly.com/uploads/1/3/1/4/131437160/7118478.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_b5c3b810420c42bea24f539bad964907.pdf?index=true
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_50f7653dfc6b4fa898e77cdc4de71fe8.pdf?index=true
    • https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_c683bcc01a1a48848094dca34779eece.pdf?index=true
    • https://45180a89-8b92-4d54-a4c6-cdf0ad6af3c7.filesusr.com/ugd/2b98a3_066f73daf579455bafb111afb73a4d2a.pdf?index=true
    • https://4779f2f8-a33e-4327-9c78-21ee0bcf4620.filesusr.com/ugd/31bf02_2660a7827c8342c89400e83a590e37e1.pdf?index=true
    • https://aefb6378-f3ca-470a-b9d2-22936542d087.filesusr.com/ugd/fe129c_676a5cb518944f61bccd226183788e37.pdf?index=true
    • https://8ed7ad90-0d0e-491f-9c15-1f6cd5a61d18.filesusr.com/ugd/f1a804_4024539e3eeb412087fbec317ecaa12a.pdf?index=true
    • https://0a01f052-6ee6-4bfa-868d-d2e49373b03f.filesusr.com/ugd/55f640_779773090dfe4b5f99f8d04efc312749.pdf?index=true
    • https://9764c975-acb6-4bd5-a3ff-b1f4624bc9bc.filesusr.com/ugd/5bcb7b_96a6050198a84237aac2fc682fb9c785.pdf?index=true
    • https://cd65756b-a9c7-4cca-9498-1747a6459195.filesusr.com/ugd/05eb20_c4842398a98441d5af124481960679ce.pdf?index=true
    • http://tiruweditivunaw.myartsonline.com/83031376884.pdf
    • http://vebagakid.onlinewebshop.net/327193367.pdf
    • https://551f0ad2-75d1-4009-b90b-2f3e3e20230b.filesusr.com/ugd/c2bf0a_b01d0d97eb5a44bdbe5b0947031002e6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018a2d.bin
c779010f1819a720fb9532c88aac55e38f68d3681dd6e6691792e6c4db222595		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18A2D 5808 bytes
font_01_sfnt_off00019dea.bin
fe5f3387f1c8bacc1327684c22faf529a8f69b6810c1a71f78e8f887f6a1bf42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19DEA 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.