Malicious PDF — malware analysis report

Static analysis result for SHA-256 e50c18d3c32bc7dd…

MALICIOUS

PDF

74.3 KB Created: 2021-05-20 17:13:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43f56d66b3f17b02b2cc05e23ff7718c SHA-1: 4d4fda04c40845dbbf827b83cf9e922576f52450 SHA-256: e50c18d3c32bc7ddf54dd475b9b7bdb073daeff852a17b6785242e70dde77deb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. The primary external URL points to 'kuzutuzo.ru', suggesting a malicious redirection or phishing attempt. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and a high ML score further support its malicious nature. While no scripts were directly extracted, the structure and heuristics indicate an attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=fundamentals+of+project+management+slideshare
    • https://denelabi.weebly.com/uploads/1/3/4/1/134109088/dikaz.pdf
    • https://static.s123-cdn-static.com/uploads/4501229/normal_5fcd099578a99.pdf
    • https://cdn-cms.f-static.net/uploads/4450721/normal_6041623f7779d.pdf
    • https://static.s123-cdn-static.com/uploads/4476750/normal_5fcee5b0b520c.pdf
    • https://cdn-cms.f-static.net/uploads/4451047/normal_60595b9a08c1b.pdf
    • https://cdn-cms.f-static.net/uploads/4392215/normal_60653c38306fd.pdf
    • https://static.s123-cdn-static.com/uploads/4450041/normal_5ff027459c332.pdf
    • https://static.s123-cdn-static.com/uploads/4448357/normal_5ff6a82333b45.pdf
    • https://static.s123-cdn-static.com/uploads/4491686/normal_5ff57d6578272.pdf
    • https://cdn-cms.f-static.net/uploads/4382639/normal_6069e8847ee43.pdf
    • https://static.s123-cdn-static.com/uploads/4418369/normal_5fcc61678060e.pdf
    • https://cdn-cms.f-static.net/uploads/4427499/normal_60485091c2a17.pdf
    • https://liwigudujonaj.weebly.com/uploads/1/3/5/3/135383521/5405478.pdf
    • https://cdn-cms.f-static.net/uploads/4495843/normal_6031bc5673eba.pdf
    • https://xonutadeb.weebly.com/uploads/1/3/0/7/130775355/f3ccb4c32675.pdf
    • https://cdn-cms.f-static.net/uploads/4416929/normal_60633e3996e6b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jifesu/jenifamizetapixesenaxumev.pdf
    • https://s3.amazonaws.com/vudivuzakal/pajofuvurerafabipidumiv.pdf
    • https://s3.amazonaws.com/zedudo/taxukepigo.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee2d.bin
da72439d30566ec5282fae8e7a6d3a7c3edf70f3cc484b7be7878379281b1213		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE2D 5600 bytes
font_01_sfnt_off00010115.bin
08df8d324a90e7ffa4b46c579b4cbbc8d58ca50267e98afe1414726b004ec32c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10115 13736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.