Malicious PDF — malware analysis report

Static analysis result for SHA-256 d65337a2d35588ce…

MALICIOUS

PDF

76.9 KB Created: 2021-03-25 15:01:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0cf252872bafed7d8c31cef7e6ebfc13 SHA-1: 7f096d6e89aaa29d519669d0d6ae106e16c2c34b SHA-256: d65337a2d35588ce01d990595fb20de5b14535b180470418b419b5700f704c7e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an external URI pointing to 'kuzutuzo.ru', suggesting a lure for users searching for specific government-related documents. Although no scripts were explicitly extracted, the PDF structure and embedded URI are indicative of a phishing attempt to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=central+cabinet+ministers+2020+pdf+download
    • https://senamevab.weebly.com/uploads/1/3/4/6/134689233/1fededacd77.pdf
    • http://brumbum2.xyz/what_is_the_purpose_of_pandoras_boxjc1z7.pdf
    • http://teenagetutor.online/calcul_de_dose_exercicelp4yv.pdf
    • http://shop-kid-toys.online/55989964888mz566.pdf
    • http://degelumokufipim.22web.org/93888326531.pdf
    • http://apkweb.net/fixijuwewapsfz8.pdf
    • https://disesusobabetom.weebly.com/uploads/1/3/0/8/130814900/vebakanivogepu.pdf
    • http://xutexukoxobofi.mywebcommunity.org/bhagavad_gita_full_in_telugu.pdf
    • https://namoxatiki.weebly.com/uploads/1/3/4/4/134477177/50c7fe0b.pdf
    • https://wezuzasiteva.weebly.com/uploads/1/3/1/3/131397996/virapikefi_menisutalej.pdf
    • http://beautysale.site/naniboturomifugemosifnyu2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c57fe108-e694-47d3-bc7c-25ffae6cf2e1/biponagozema.pdf
    • http://suzujuvejis.epizy.com/filmi_bhajan_video_song.pdf
    • https://1416a32c-f91c-4ec3-9c10-bfdf610c7df7.filesusr.com/ugd/76de1a_d4e4fe04687d493fb45ef9772c7a7b70.pdf?index=true
    • https://uploads.strikinglycdn.com/files/46410d06-096f-4f0f-8945-551c102c2949/depojumudafezitigerewex.pdf
    • http://gegawuwiru.epizy.com/bogomavowixomipogazizon.pdf
    • http://zemabikavowon.rf.gd/mxq_android_streaming_media_player_firmware.pdf
    • https://uploads.strikinglycdn.com/files/76be7316-a9dc-4500-a789-87845caa03fe/hp_officejet_pro_8600_premium_automatic_document_feeder_problems.pdf
    • https://e432c3f7-acc0-403b-bc7f-1b8c16782643.filesusr.com/ugd/6a4899_5b00d5fe3516485bbee923d3db3ffbd0.pdf?index=true
    • http://vofumuketikizuk.epizy.com/65959851527.pdf
    • http://vafitinupisojud.onlinewebshop.net/46132872301.pdf
    • https://uploads.strikinglycdn.com/files/c8f977fd-02b0-412e-9240-8fa1338ef5d6/what_holy_books_are_there_in_islam.pdf
    • https://98771922-91e4-4673-aa0d-7794f4435593.filesusr.com/ugd/b6aaa0_cb2e1de69dee452896a37e30698d1658.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef2d.bin
ddb502c6c65681742030eb63c1e7914165f298cd8754d2bd335b369619015780		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF2D 5712 bytes
font_01_sfnt_off0001028e.bin
38b2faf8fa658d681e31a10c63ca79bc4cae45c2bf81201b47cf87876a832d5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1028E 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.