Malicious PDF — malware analysis report

Static analysis result for SHA-256 05d90484194c63af…

MALICIOUS

PDF

52.6 KB Created: 2020-11-24 03:55:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 767746c078a9b79cc39e0090d6d387c6 SHA-1: 3830aae0e8d9d8e5ff991b8d447863294037e1d5 SHA-256: 05d90484194c63af9debef51f8aac0efcd5c15cb6960e15fdda41133287f4054
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, typical for phishing attacks, containing a clickable action that directs to an external URL. It also features a link farm, suggesting an attempt to manipulate search engine results or distribute traffic to multiple sites. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7590

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 52 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=oneplus+7+pro+android+10+xda
    • https://daxedinojadu.weebly.com/uploads/1/3/4/5/134590150/4527220.pdf
    • https://puvujoda.weebly.com/uploads/1/3/4/3/134326666/3798696.pdf
    • https://dubuzosokiboxof.weebly.com/uploads/1/3/1/1/131163723/6463617.pdf
    • https://cdn-cms.f-static.net/uploads/4443595/normal_5fb6076403674.pdf
    • https://jijidiwudop.weebly.com/uploads/1/3/4/4/134481930/wepafiv-rolopikogotuz-wopasotu-jijovor.pdf
    • https://kerumesuni.weebly.com/uploads/1/3/4/1/134131613/8515450.pdf
    • https://cdn-cms.f-static.net/uploads/4370284/normal_5fb2e600d1cf4.pdf
    • https://cdn-cms.f-static.net/uploads/4383692/normal_5f97b0b70b8a3.pdf
    • https://uploads.strikinglycdn.com/files/c02b57de-78e0-4558-a822-555b69db1800/nakutisafuvopumodefaribol.pdf
    • https://uploads.strikinglycdn.com/files/05170da0-0067-44cb-bd48-22274ae43e06/96003975789.pdf
    • https://s3.amazonaws.com/legapatatezisa/59685708545.pdf
    • https://uploads.strikinglycdn.com/files/591cf009-c015-4898-b6cd-ce17efe30308/jrcalc_2019_clinical_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/8c473916-3bfb-4ae5-88a4-61afdb125b43/pisumenomodiwisufaxeno.pdf
    • https://uploads.strikinglycdn.com/files/4708c496-90eb-4c6b-bf00-86574301c8ba/82404180792.pdf
    • https://uploads.strikinglycdn.com/files/0d125255-eec0-4c00-bcfe-c9aeecc8c5b8/mass_effect_2_morinth_guide.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.