Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d274091a4b7486c…

MALICIOUS

PDF

72.1 KB Created: 2021-05-31 16:57:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: b2af2c4f77ef61bfec9efd537f147133 SHA-1: 58e04b4f950def481de28901906567641963e040 SHA-256: 0d274091a4b7486c68046786a281161bf74442610fd031e864bc85142e835df8
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5147

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/pbw?utm_term=descargar+halo+2+para+pc+gratis+en+espa%25C3%25B1ol+completo+para+windows+8.1 PDF link annotation
    • https://vepemetamat.weebly.com/uploads/1/3/4/3/134354227/88cd5.pdfIn PDF document text
    • https://vojufutevale.weebly.com/uploads/1/3/4/5/134521456/6e198a93.pdfIn PDF document text
    • https://buvowanux.weebly.com/uploads/1/3/4/6/134685119/3746938.pdfIn PDF document text
    • https://nigafabap.weebly.com/uploads/1/3/4/3/134377596/fuzonin_lafaxunazo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4483082/normal_5fe728c03b8c0.pdfIn PDF document text
    • https://kelodulelonax.weebly.com/uploads/1/3/4/6/134644310/xoforupobawazo_suzoxag.pdfIn PDF document text
    • https://xojumemusip.weebly.com/uploads/1/3/4/0/134018475/9c63a85.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4470545/normal_5fdf707c35fc5.pdfIn PDF document text
    • https://sixodajumam.weebly.com/uploads/1/3/4/3/134311071/tusabukema.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366987/normal_5fd82b6a5021b.pdfIn PDF document text
    • https://wisefumi.weebly.com/uploads/1/3/4/6/134672277/a9a5c11ff0cc7b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417980/normal_6013df582bf08.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475375/normal_60689057d55c7.pdfIn PDF document text
    • https://zenibevakuziva.weebly.com/uploads/1/3/0/7/130739170/wofef.pdfIn PDF document text
    • https://futuziduxe.weebly.com/uploads/1/3/4/5/134508203/7475293.pdfIn PDF document text
    • https://fuvutefimege.weebly.com/uploads/1/3/1/4/131453053/4c23d64df095.pdfIn PDF document text
    • http://negovijalulu.pbworks.com/f/super_robot_wars_r_gba_english_patch.pdfIn PDF document text
    • http://natizasex.pbworks.com/w/file/fetch/144411591/active_and_passive_voice_worksheets_for_class_6_cbse_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ffd62dcd-4ce3-4471-9543-85e967e556be/corningware_slow_cooker_recipes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f68e6fa5-ae1f-4115-9a8d-7acda6ba267e/5_paragraph_essay_example_7th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/273ea259-b17b-4826-a67c-6210dc1a2ddd/dageto.pdfIn PDF document text
    • http://sepaxebi.pbworks.com/w/file/fetch/144414003/illustrator_2020_system_requirements.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ccdf372-cedc-4872-a99c-ea1e39997740/wavozagefurapuj.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.