Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6bfa966ec392c02…

MALICIOUS

PDF

314.0 KB Created: 2021-03-10 17:31:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 3bb9d4a96a567ff7932440b173c02d76 SHA-1: 6aca2cf577f1591ef93e030e93095a7bbcf704b2 SHA-256: c6bfa966ec392c02af9901b4c8a491e3525b637a73d3c5761c2759ea236b6a47
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to 'kuzutuzo.ru', which is likely part of a phishing campaign. The document body, though heavily obfuscated, suggests a lure related to 'Adobe pdf printer instance'. No scripts were extracted, but the presence of an external URI and the malware detection strongly suggest a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9288

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=adobe+pdf+printer+instance PDF link annotation
    • https://bejolikide.weebly.com/uploads/1/3/1/4/131437094/sezenu.pdfIn PDF document text
    • https://givodevivunafa.weebly.com/uploads/1/3/1/8/131871579/8348848.pdfIn PDF document text
    • https://zofizefeva.weebly.com/uploads/1/3/1/6/131636954/zetiteridabalarid.pdfIn PDF document text
    • https://cdn.sqhk.co/xelalizogim/igeNWhc/36880529163.pdfIn PDF document text
    • https://segamovav.weebly.com/uploads/1/3/4/8/134892249/61ddbbb88a4988b.pdfIn PDF document text
    • https://cdn.sqhk.co/segexiji/djaiehc/throne_rush_gems_hack_free.pdfIn PDF document text
    • https://jijelejo.weebly.com/uploads/1/3/4/5/134590633/nurolutomom.pdfIn PDF document text
    • https://bagawilikazukir.weebly.com/uploads/1/3/1/0/131070307/buwobesezajigexi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/262a11ed-953f-41e5-a821-0ab66fa4c9c9/you_can_be_a_stock_market_genius_espaol_gratis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa67bd70-2067-4dda-909e-653ddb80eb65/do_dollar_tree_employees_get_a_discount.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e9b21ee-1cb4-4056-83aa-5c16e4919f1e/pinaturaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c14cb59c-b4a3-42e7-bbd0-2b38625708bf/honeywell_programmable_light_switch_timer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d62a7bad-91a4-4212-868d-f2844b633681/how_to_whitewash_pine_floors.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2be625e2-b9ff-460e-aec0-2cd2f034b6e6/how_well_do_saltless_water_softeners_work.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51a40235-2519-43f5-a553-7fc253916e58/briggs_and_stratton_675_series_pressure_washer_oil_capacity.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cc85aaa-6391-4e86-8e41-656a664a1540/dungeon_master_screen_5e.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a75f396-291e-4ec2-82db-96e46d7a6f5d/bluebuds_x_price.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a6a2a95-3d79-4916-b69f-0791d5794863/6854377524.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.