Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdb0290c05dca733…

MALICIOUS

PDF

72.2 KB Created: 2021-04-03 10:53:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 000c9750409e0002e6e1737a4970182a SHA-1: feb0b33bdf7180f2ecace6b7ace74b4ebb7956cb SHA-256: bdb0290c05dca733c312867d02b5bab66b73d6804c472fabfabf61c09f344f1b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, mezovuduw.ru, which is likely used to host a malicious payload or phishing page. The document body, though partially corrupted, includes metadata suggesting it was generated by wkhtmltopdf, and the presence of embedded font streams is common in obfuscated PDF malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=why+does+the+pto+not+engage
    • https://cdn.sqhk.co/bapulofuw/iiujdgc/73052285550.pdf
    • https://cdn.sqhk.co/ropobemuma/cRPVnje/zinuxumusot.pdf
    • https://cdn-cms.f-static.net/uploads/4457000/normal_605e16e0f06a8.pdf
    • https://static.s123-cdn-static.com/uploads/4383916/normal_5fe132e913650.pdf
    • https://cdn.sqhk.co/wiberini/m2qhxNs/bounce_tales_java_apk.pdf
    • https://cdn.sqhk.co/defisepeniba/eG1hcgf/list_makers_crossword_puzzle_clue.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xowasosuf/rutokem.pdf
    • https://s3.amazonaws.com/dogevazapiwediw/82204039014.pdf
    • https://s3.amazonaws.com/gajabedafot/gavelanadupilokabimo.pdf
    • https://s3.amazonaws.com/sajatofubote/sitefatowijurolisadop.pdf
    • https://s3.amazonaws.com/fevobelijogal/jovexowidipewuredaroxeve.pdf
    • https://s3.amazonaws.com/dazifozixawus/2014_cadillac_cts_review_consumer_reports.pdf
    • https://s3.amazonaws.com/runuzitexokol/96028944420.pdf
    • https://s3.amazonaws.com/tazopaju/12475155284.pdf
    • https://s3.amazonaws.com/bupijila/20814908101.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dabf.bin
fa59cd9d4fe7ec08508e5f915f2d953a35a5624e6ea6c076069cccf8c38f6b03		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDABF 5208 bytes
font_01_sfnt_off0000ec8e.bin
563ca0bd69065274390fff63699f0b7a55346390a014719bc48689a25f633e4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC8E 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.