Malicious PDF — malware analysis report

Static analysis result for SHA-256 05328991e98ec264…

MALICIOUS

PDF

58.6 KB Created: 2021-03-21 03:20:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 41bffe2937c728f23e9d25c7dbb02aff SHA-1: 9d102f09741f81c9e0ee031a54326773c72e19d3 SHA-256: 05328991e98ec264468c2d92e29ba829fbac2abd07b4a5afe026c17f0b2538a6
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan payload. It contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, appears to be a lure related to computer hardware specifications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9754

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/aws?utm_term=optiplex+790+ram+specs PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4381759/normal_5fcdab459c982.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414336/normal_6029691c320bd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485799/normal_603516f916626.pdfIn PDF document text
    • https://xobawaxotax.weebly.com/uploads/1/3/1/4/131453143/vovodoboxixanu.pdfIn PDF document text
    • http://tubujagowip.iblogger.org/how_to_study_korean_language_for_beginners.pdfIn PDF document text
    • https://dizavobezovedup.weebly.com/uploads/1/3/5/3/135313146/9498294.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4482882/normal_604784036d7f6.pdfIn PDF document text
    • https://basitonivi.weebly.com/uploads/1/3/4/5/134584834/xixetanej.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410447/normal_6025518f42ee3.pdfIn PDF document text
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_4c44c6604251450a904eaf22adf194b3.pdf?index=trueIn PDF document text
    • http://wagagufogubejal.rf.gd/49564593841.pdfIn PDF document text
    • https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_4fec357166424f009e6e359fa06192ff.pdf?index=trueIn PDF document text
    • https://fb9345b8-40be-4608-a8ff-9c5427dba92f.filesusr.com/ugd/98d639_5562d652316f4847844517d73e4c3a01.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/pewebopufupe/astral_chain_heavy_traffic_3_guide.pdfIn PDF document text
    • https://da6a6a96-7907-4aac-bfe3-592928b14ca9.filesusr.com/ugd/39e844_3ca6da8fb75c4d29807ed93ea1909f4d.pdf?index=trueIn PDF document text
    • https://75e6d08a-b14f-4c2c-bd4e-3e6431d9d11c.filesusr.com/ugd/497a87_f462bb4f6bea414584e49c3d0aaf31e8.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/widiku/literary_devices_in_harlem_by_langston_hughes.pdfIn PDF document text
    • http://kagumabexa.rf.gd/35483849568.pdfIn PDF document text
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_43b47559279843879d22eb91d97c8227.pdf?index=trueIn PDF document text
    • https://abbf68a8-5b21-4996-91be-11266bd273ed.filesusr.com/ugd/9374a7_f0957f5797b14905aaa83a3564c69621.pdf?index=trueIn PDF document text
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_c6362876b62747e6892a24b9da9c0c48.pdf?index=trueIn PDF document text