Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b772622a0a906dd…

MALICIOUS

PDF

70.5 KB Created: 2021-06-10 01:16:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 482966785efebfc554bd35c47b68ddd0 SHA-1: 20dd1035fe5642ce09bae30ecf2feade446f63a2 SHA-256: 0b772622a0a906dd2ce963bab27b6ba5d6de35068bbfe8698d0efe602904358a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which are hosted on Weebly and appear to be part of a link farm. The document body, though heavily obfuscated, suggests a lure related to 'macroeconomics olivier blanchard 7th edition pdf free'. This indicates a likely phishing or SEO spam campaign designed to drive traffic to malicious or ad-heavy sites. No scripts were extracted, but the PDF structure and numerous external URIs point towards a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6002

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/pbw?utm_term=macroeconomics+olivier+blanchard+7th+edition+pdf+free
    • https://xigodawi.weebly.com/uploads/1/3/4/4/134464905/cd3b5ee6e4e57e.pdf
    • https://cdn-cms.f-static.net/uploads/4369779/normal_5fe69de0c70f5.pdf
    • https://xifuvago.weebly.com/uploads/1/3/0/8/130813557/dabitudozubora_nixorekolo_dusotow_nixonut.pdf
    • https://cdn-cms.f-static.net/uploads/4379969/normal_601b26ecd0fff.pdf
    • https://vaforiduzaxofa.weebly.com/uploads/1/3/4/3/134367440/welodezukijefiw-zudatud-kaxojumadobifov.pdf
    • https://cdn-cms.f-static.net/uploads/4367275/normal_6035c0f26e58d.pdf
    • https://tosofeguwus.weebly.com/uploads/1/3/4/3/134321705/jaxubetedag.pdf
    • https://cdn-cms.f-static.net/uploads/4403407/normal_60647d0bd3d7d.pdf
    • https://cdn-cms.f-static.net/uploads/4453537/normal_6011e682e0a0e.pdf
    • https://cdn-cms.f-static.net/uploads/4427274/normal_60162f8b5f0a7.pdf
    • https://cdn-cms.f-static.net/uploads/4501794/normal_6052be421bfbe.pdf
    • https://static.s123-cdn-static.com/uploads/4419225/normal_5ffb2e4e83d66.pdf
    • https://cdn-cms.f-static.net/uploads/4381083/normal_5fda5a2ad661a.pdf
    • https://dowabibagugodu.weebly.com/uploads/1/3/4/6/134697665/c64497b08a06.pdf
    • https://lawilutimi.weebly.com/uploads/1/3/4/8/134879912/9369633.pdf
    • https://papenuxid.weebly.com/uploads/1/3/0/8/130874395/vofoxiranasusodopele.pdf
    • https://fatagodudun.weebly.com/uploads/1/3/4/3/134327877/6839746.pdf
    • https://pibulibeles.weebly.com/uploads/1/3/5/3/135324177/24912.pdf
    • https://tejekukukageza.weebly.com/uploads/1/3/4/6/134662245/c7814c9da2ac3e3.pdf
    • https://cdn-cms.f-static.net/uploads/4464319/normal_60636370e95fa.pdf
    • https://judenebubiz.weebly.com/uploads/1/3/4/6/134656374/b3ed9f34d3335.pdf
    • https://kixufeme.weebly.com/uploads/1/3/4/0/134018387/1cea1cf71.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.