Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4f5364b4a40f20d…

MALICIOUS

PDF

77.2 KB Created: 2021-03-27 22:04:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 085b30bd97316f464f24cc3a5a65ea7f SHA-1: deb9ff5d81af578188fbd0cc182ffde9fa96fad4 SHA-256: d4f5364b4a40f20d57f2094a51a0fb53a238a194a2c09a714befe99d2ec09a4a
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by a ML classifier and ClamAV, with heuristics indicating it's a phishing lure and potentially a password-protected archive. The embedded URL `https://kuzutuzo.ru/award?keyword=como+baixar+pdf+iphone` suggests a phishing attempt related to downloading PDFs. While no scripts were explicitly extracted, the PDF format and the nature of the heuristics suggest potential for embedded JavaScript or other exploit mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=como+baixar+pdf+iphone
    • http://parkingtest.xyz/jowote37esn.pdf
    • http://bogplaktnc.fun/kuwowodanuvogomexezuxubtuucn.pdf
    • http://aycotoro5.xyz/bizifotejagefemegenfgcnt.pdf
    • http://jaxagogilexet.sportsontheweb.net/nawine.pdf
    • http://trysalon.xyz/sanane0tw6s.pdf
    • https://cdn.sqhk.co/peferitukofa/aaKoZhd/titaxatu.pdf
    • http://logmeinnow.xyz/dietoterapia_de_krause_13_edicion_gratisk2ran.pdf
    • http://fb-pageunderreview.com/how_to_connect_steelseries_arctis_7_to_xbox_one_wireless3vgir.pdf
    • http://abouts.space/goxipavinusozupejifiitk27.pdf
    • http://hugertely.xyz/72169150837zz2ob.pdf
    • http://rbqjkwklnd.xyz/michigan_child_support_percentagestp0n.pdf
    • http://matcobzor.ru/enlace_peptidico_formacion_caracteristicas_y_degradacionhs5yu.pdf
    • https://cdn.sqhk.co/pazaxefuma/jZieBBg/79601635243.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4de602de-1a65-4662-8e0c-b0449e84741d/23866890538.pdf
    • https://uploads.strikinglycdn.com/files/e4d4e5b7-0bbd-4cea-917d-6477971f0b93/brocade_fabric_os_administration_guide_7.4.1.pdf
    • https://uploads.strikinglycdn.com/files/25c100af-350c-497f-ad8b-b56d751f149d/janiditanidisubegaferujog.pdf
    • http://xedavabawavela.onlinewebshop.net/speaking_ielts_band_9.pdf
    • http://xijejuvi.myartsonline.com/dua_e_astaghfar.pdf
    • https://77a80da1-97a3-4b40-ba11-54c6d232eb66.filesusr.com/ugd/39a0fd_dcef08156b3f4a82b23c449c92c5bed7.pdf?index=true
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_b1f94ab5099347a982e73ac0441d3532.pdf?index=true
    • https://6f672a44-e16c-4921-a0f1-e3781c0647c5.filesusr.com/ugd/bda22a_1a64b77ec08049b3bff33fc59094586c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9f2b8960-820c-4298-8213-882789c6e16d/33796891773.pdf
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_7f943d751d00449fa1c0db22b4b9e3e5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed8a.bin
5d1d67ebbd92007b3e92d4cbda67b56418a56753739aea768c3d691d1886507f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED8A 5184 bytes
font_01_sfnt_off0000fefc.bin
73fc6e8c2c46bc0dda717d181d00ce283e5f0ee2ce51fdebd9fa8fc606de739c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEFC 12592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.