Malicious PDF — malware analysis report

Static analysis result for SHA-256 2152dab29d7cfe65…

MALICIOUS

PDF

72.3 KB Created: 2020-11-17 21:11:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78a5054aaa1f05821586312d0b5428c7 SHA-1: a53ab7e564eb4bd70a0e1d3d6ab8427302e4a672 SHA-256: 2152dab29d7cfe654eb65674afbcb7ec60b5e0edca0a339408596339db85b3cb
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and exhibits characteristics of a link farm, containing numerous external links. One critical heuristic identified a link to known malicious redirector infrastructure, suggesting an attempt to redirect users to a phishing or malware distribution site. The document body, though heavily obfuscated, contains metadata related to its generation, but no direct textual lure is apparent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7277

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?utm_term=5e+fighter+battle+master+guide
    • https://sususijofazitut.weebly.com/uploads/1/3/4/4/134462406/bidegi.pdf
    • https://letateworu.weebly.com/uploads/1/3/4/3/134365764/woxepisiwo.pdf
    • https://mufedagejex.weebly.com/uploads/1/3/4/7/134726032/43a349bf4de6ea5.pdf
    • https://bewapuvin.weebly.com/uploads/1/3/1/4/131453684/xawazugamedexot.pdf
    • https://tajamopem.weebly.com/uploads/1/3/4/7/134745730/nuvibifivorufe_rumapefib_tazesobe_mujupeforu.pdf
    • https://uploads.strikinglycdn.com/files/c360da42-5bab-45ab-9083-6b18ebc3b2da/lozomovipesobimelinu.pdf
    • https://s3.amazonaws.com/rujabepifar/bivosusu.pdf
    • https://uploads.strikinglycdn.com/files/f09e64dc-ae45-4248-9814-2a825d507616/95603955170.pdf
    • https://uploads.strikinglycdn.com/files/bf83dd9d-f7c3-4b11-8656-bb0117f2ba8b/59879158020.pdf
    • https://uploads.strikinglycdn.com/files/d5b9b552-342e-4a42-9e36-d133761d4387/parts_of_microscope_and_functions.pdf
    • https://uploads.strikinglycdn.com/files/d7db42e4-aa90-427d-b623-a84897d685e6/77621815378.pdf
    • https://uploads.strikinglycdn.com/files/3cac3286-cd2d-41f5-b88c-f252d9f4e359/36921498371.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.