Malicious PDF — malware analysis report

Static analysis result for SHA-256 feee06193a04ea1f…

MALICIOUS

PDF

90.9 KB Created: 2021-03-14 10:21:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f874ff883968ef6e0b39c35e6790db16 SHA-1: e66ebecdd4b1aca71c0cc39304b51105f338dca1 SHA-256: feee06193a04ea1f0462724cd32dd0eb7cb20493dba9ccd725c07a5a7956f039
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically the one pointing to 'kuzutuzo.ru', suggests a phishing or credential harvesting attempt. The document body, though heavily obfuscated, contains keywords related to 'Fisco agenda 2020 pdf gratis', likely serving as a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=fisco+agenda+2020+pdf+gratis
    • http://bloomwithdeanna.com/notas_de_fur_elise_piano_virtualn61q5.pdf
    • https://static.s123-cdn-static.com/uploads/4457590/normal_5fcced03735ba.pdf
    • https://cdn-cms.f-static.net/uploads/4372085/normal_600f7d6b78f11.pdf
    • https://static.s123-cdn-static.com/uploads/4499309/normal_5fdd61e4a950e.pdf
    • https://bavoramexur.weebly.com/uploads/1/3/5/3/135326869/3698936.pdf
    • http://tpdreport.com/what_does_tiger_moth_caterpillar_eat3lpp4.pdf
    • https://cdn-cms.f-static.net/uploads/4468268/normal_601ee2b9cb6f3.pdf
    • https://static.s123-cdn-static.com/uploads/4477649/normal_5fcb34176ee7b.pdf
    • https://static.s123-cdn-static.com/uploads/4403130/normal_5fdf186e3df26.pdf
    • https://static.s123-cdn-static.com/uploads/4375708/normal_5fe05837a0454.pdf
    • https://siroxexorap.weebly.com/uploads/1/3/0/7/130739693/ab5fd5.pdf
    • https://cdn-cms.f-static.net/uploads/4460688/normal_6009bd0689c9b.pdf
    • http://samo-katim.ru/474192351073w6vu.pdf
    • https://milorupubi.weebly.com/uploads/1/3/4/3/134317418/xotabamojupabawa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ceaf23a8-ed92-4b2c-80d5-b4c6f96fba5d/14883860181.pdf
    • https://uploads.strikinglycdn.com/files/5c26c8f9-992c-45ec-b4a9-033306546645/scientific_method_worksheet_7th_grade.pdf
    • https://uploads.strikinglycdn.com/files/1925a830-df05-43fb-ac8b-0efcc71e845b/67018402128.pdf
    • https://uploads.strikinglycdn.com/files/ba2a0545-b867-4b87-a2d1-8a1afa407066/how_hard_is_it_to_learn_egyptian_arabic.pdf
    • https://b0c090b1-cb02-46d8-8a69-3fb9d82636b6.filesusr.com/ugd/4dbf3f_b7bf9ba134ce4937b72738a25b099dc9.pdf?index=true
    • https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_4c54b168a12c4bd1ad6cf7f4faa7f7fc.pdf?index=true
    • https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_4a03f9f8adb54015a5df1e951b09566d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/63fd8163-a82a-40ac-b0cc-653fa7bf426e/werafelulajetesadesirez.pdf
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_52c5111d84db4f378ab20dfa36b469cc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3f6.bin
30cb077e35bc7bce5196a9f5a116cdc5575ac6d97c43482e1f35a091b0f84941		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F6 5308 bytes
font_01_sfnt_off00010604.bin
1f05f8013ce533a2767a802c45cd7b2336d145a977b191cba9ab0f8710f45f85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10604 14076 bytes
font_02_sfnt_off00012f9f.bin
7bc5f778ac72c796ec80a47ede9c72b958bde8ce117fe7bcbba3e862141d2861		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F9F 19468 bytes
font_03_sfnt_off00014f22.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F22 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.