Malicious PDF — malware analysis report

Static analysis result for SHA-256 15a8b8e138ef7ff7…

MALICIOUS

PDF

83.6 KB Created: 2020-11-18 08:21:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 8ac932e092ad64eb1b2510e64872dd1a SHA-1: fb2b1a0a0ba9cf713b75ff0f972d9c0e56f92cd1 SHA-256: 15a8b8e138ef7ff701a22e6e0d65438df61c1f1fdf1210ace0eaa810ab59f045
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous external links, including one pointing to 'traffnew.ru/aws?utm_term=android+watch+os', suggesting a phishing or malware distribution lure. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, further supporting this. ClamAV detection as 'Pdf.Phishing.Trojan' confirms malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9131

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=android+watch+os PDF link annotation
    • https://zipalusub.weebly.com/uploads/1/3/4/3/134343211/bd01dc.pdfIn PDF document text
    • https://gekubunog.weebly.com/uploads/1/3/4/2/134235395/6caa2a21efc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378620/normal_5f90c8b8d6d5c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383703/normal_5f8be0394e0c9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413718/normal_5f9d1c8c34d68.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1fc8323-e072-4ec0-ae92-2a7fda6b37f2/download_movie_the_purge_anarchy_in.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a500a2c4-6203-4089-b53f-a0e31676e92f/nivonetepetaxefi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/efd99ca5-76cb-41fc-965a-d74180184a10/24652423333.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34cfb644-1dba-4863-b2c8-2f80a04c8838/ver_toy_story_4_pelicula_completa_repelis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4b9cff60-823b-499c-be9b-52b761fdd772/69244504860.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a872a2ca-c489-4c5e-a564-3d54675d3d9d/epa_section_608_preparatory_manual_9th_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e0cccd4c-6ddb-43d5-9eb8-a5f89f9d6030/vosabavagelugovul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/02ac50ba-d2ca-44b8-940f-323dab6911a3/33563826632.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/341a2c09-d6ee-4ce0-a91d-6f3acd16c59d/nutrition_and_you_4th_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c240ec04-3916-4abb-a6ea-9b9424b9b859/vitumemupamemowigeg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17acff0b-3480-4f3a-90c9-7d4cb5ab5deb/84714925674.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.