Malicious PDF — malware analysis report

Static analysis result for SHA-256 04e675e7ad8f28ed…

MALICIOUS

PDF

68.0 KB Created: 2021-03-13 21:30:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 3956939d445ad5b44196d723b2d82613 SHA-1: 76362212d610c60c7de5f6bb7fb1cb863c3479af SHA-256: 04e675e7ad8f28ed52ed7b9f715a7d384b2517e850d5933862bebb96b1b31132
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs, many of which point to disposable hosting or known malicious redirectors. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' specifically flags a URL leading to malicious infrastructure. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the sheer volume of suspicious links suggests a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8211

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=asus+rt-n12hp+router+price+in+bd In PDF document text
    • http://fibutogu.mywebcommunity.org/seminario_de_boveda_espiritual.pdfIn PDF document text
    • http://kafidovomiguvo.mywebcommunity.org/air_force_one_love_letter_uk.pdfIn PDF document text
    • http://wamawogep.iblogger.org/upsc_cds_form_online.pdfIn PDF document text
    • http://bekopomulasebi.getenjoyment.net/rainbow_vacuum_power_nozzle_hose.pdfIn PDF document text
    • http://laribij.scienceontheweb.net/nostra_aetate_deutsch.pdfIn PDF document text
    • http://gepokupaburorew.mywebcommunity.org/traitement_carie_dentaire.pdfIn PDF document text
    • http://pogawubujogeje.mypressonline.com/ledarom.pdfIn PDF document text
    • http://kirakexig.mypressonline.com/20897072075.pdfIn PDF document text
    • http://jaxagogilexet.sportsontheweb.net/what_is_a_qualitative_evaluation.pdfIn PDF document text
    • http://bimovixexena.scienceontheweb.net/serivavenotag.pdfIn PDF document text
    • http://bekopomulasebi.getenjoyment.net/delonghi_oil-filled_radiator_space_heater_quiet_1500w.pdfIn PDF document text
    • http://finoginujowiwi.mypressonline.com/92359983378.pdfIn PDF document text
    • http://fiforeru.atwebpages.com/15367464871.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f5ff2c5-e5b1-4d67-a3aa-ec73b3b37f94/frigidaire_gallery_refrigerator_ice_maker_reset.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fc81c5c-0de9-4893-80b7-41a5c77152b2/tung_group_theory_in_physics.pdfIn PDF document text
    • http://xorabaza.rf.gd/pubotoxuzibe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d42724a-01c3-492d-8422-e9b677583c80/text_structure_worksheet_9.pdfIn PDF document text
    • http://gegurobaz.myartsonline.com/xojivomor.pdfIn PDF document text
    • http://regujag.rf.gd/mopewe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db9e2a96-0a06-452a-a119-0e8aa12b93bc/yoga_poses_for_weight_loss_in_a_week.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc45644b-9f50-49ae-bc8c-06d69e60a2a4/96046289311.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ecb21c5f-9947-4e57-9aac-a2448772d251/vuvegujov.pdfIn PDF document text
    • http://fufudaloxola.onlinewebshop.net/if_function_in_ms_excel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/abd17c4c-5bbf-44ce-ac44-015f41c74a8c/kobodejazalor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1865403-c121-4f05-8483-73bb5178d251/automotive_mechanics_book_download.pdfIn PDF document text
    • http://jikebejilogotum.rf.gd/muvapelapokox.pdfIn PDF document text
    • http://lidiremuvuzanas.rf.gd/financial_analyst_journal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cfaf0a92-e6d5-41c5-84f5-f95b4d75a9f8/is_harvard_business_analytics_program_worth_it.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20ea81a1-45eb-4d09-9b6c-caf71c68c07f/vixojimetu.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.