Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b80a55f5c0fdd8f…

MALICIOUS

PDF

66.6 KB Created: 2021-03-20 23:52:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a6246387b379d2659810bea406d4fb5 SHA-1: 9dc5564782f80f982d54bfc58bb426b52364e6d6 SHA-256: 1b80a55f5c0fdd8f55364d29971e39d1cf3e361113b851b8f4358c2677af8d32
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9618

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=skill+vs+skill+set
    • https://worijuxadije.weebly.com/uploads/1/3/4/8/134863955/5253533.pdf
    • https://dutajedi.weebly.com/uploads/1/3/5/9/135964159/regazixul-dadebamidabulat-kadigigabiv-lojevaxidabu.pdf
    • https://cdn.sqhk.co/feguzuvubut/jihzU6M/ghost_hunter_clicker_rpg_java.pdf
    • https://cdn.sqhk.co/josipinu/Njg6hdK/midasiximoxavinisi.pdf
    • https://cdn.sqhk.co/fulaxanew/aUhiQhb/download_game_hotwheels_infinite_loop_mod_apk.pdf
    • https://uploads.strikinglycdn.com/files/044b5f24-5c12-416f-a17b-8bc091f0863a/18783543752.pdf
    • https://s3.amazonaws.com/xulikamul/1689_london_baptist_confession_leather.pdf
    • https://uploads.strikinglycdn.com/files/04b2b1ca-e87c-437a-ba4d-51b852d73427/wedanozi.pdf
    • https://s3.amazonaws.com/xenavuxa/isotopes_and_ions_worksheet_answers.pdf
    • https://s3.amazonaws.com/tesotiwapax/usa_national_anthem_sheet_music.pdf
    • https://uploads.strikinglycdn.com/files/d312b150-5ec8-4885-b06e-59dfdcf380eb/how_to_work_iworld_bluetooth_headphones.pdf
    • https://s3.amazonaws.com/baposivarabuj/91533269645.pdf
    • https://s3.amazonaws.com/towutoginadivu/5113661827.pdf
    • https://s3.amazonaws.com/xeroguru/sumidedatoxakerinunuv.pdf
    • https://s3.amazonaws.com/divelikubapiwaj/25762843386.pdf
    • https://s3.amazonaws.com/rujimidujek/3903908371.pdf
    • https://uploads.strikinglycdn.com/files/2f6f6f20-6f6a-4311-8986-c076832eed4a/lusepagi.pdf
    • https://s3.amazonaws.com/vinejivunitego/polenoripexadu.pdf
    • https://s3.amazonaws.com/wegemebufojafak/kadhal_kadhai_full_movie_free.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.