Malicious PDF — malware analysis report

Static analysis result for SHA-256 031905c801687e2b…

MALICIOUS

PDF

43.7 KB Created: 2020-11-29 21:53:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 05d3cb04fa5fb313393d5a5cc0f7563b SHA-1: ddde89aa5bac4afa08a38fa865939004a12f38d7 SHA-256: 031905c801687e2b01fa8732aa06215e8048d29a8933b8735c3ce99f3840f816
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a deceptive title related to 'How to cheat cpap compliance' and embeds a large number of external links, with at least one pointing to known malicious redirector infrastructure. The presence of numerous PDF links suggests a link farm or SEO manipulation tactic, and the ClamAV detection as Pdf.Phishing.Trojan indicates a phishing or malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6591

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=how+to+cheat+cpap+compliance In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379471/normal_5f91d24ded259.pdfIn PDF document text
    • https://figejarorosuwe.weebly.com/uploads/1/3/4/4/134433037/304bda.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374838/normal_5f8fb88c69d13.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381287/normal_5fc0c1d8890d6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501791/normal_5fb2615f41b79.pdfIn PDF document text
    • https://fidegobopoj.weebly.com/uploads/1/3/2/8/132815019/58a008a278f40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455207/normal_5fb01425b568c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366344/normal_5fa38a9193ddf.pdfIn PDF document text
    • https://s3.amazonaws.com/lixasifasi/bisibod.pdfIn PDF document text
    • https://s3.amazonaws.com/zuses/vikixalowokabexal.pdfIn PDF document text
    • https://s3.amazonaws.com/gumagabu/batwing_top_pattern.pdfIn PDF document text
    • https://s3.amazonaws.com/vuforewebub/ark_single_player_spawn_codes.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.