Malicious PDF — malware analysis report

Static analysis result for SHA-256 22aad9b556c46133…

MALICIOUS

PDF

67.2 KB Created: 2021-04-08 05:23:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a398fa84662740fad25d8ffe5ee0dbc4 SHA-1: 492c022c0026263a7cbf58b8cafd983726bfe223 SHA-256: 22aad9b556c461333c9b6520b8514a3b50758ed57a228ba9d893f1d4010dc334
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, flagged as a link farm, directing users to potentially malicious domains. The document body, though heavily obfuscated, suggests a lure related to car seat cover installation. ClamAV and ML classifiers identified the file as malicious, specifically a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9590

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=alpha+omega+elite+car+seat+cover+installation
    • https://cdn-cms.f-static.net/uploads/4376602/normal_601a74460e77f.pdf
    • https://fovevirikat.weebly.com/uploads/1/3/0/7/130775443/6a7f90489.pdf
    • https://cdn-cms.f-static.net/uploads/4444098/normal_6030144f7a1e6.pdf
    • http://zejirejajedudu.getenjoyment.net/77893464973.pdf
    • https://cdn-cms.f-static.net/uploads/4383791/normal_60192ef44e11f.pdf
    • https://dulumomotuvubu.weebly.com/uploads/1/3/4/7/134759228/7269453.pdf
    • https://cdn-cms.f-static.net/uploads/4475864/normal_605255dedd374.pdf
    • http://tezijexipilimo.getenjoyment.net/97597984592.pdf
    • https://static.s123-cdn-static.com/uploads/4470029/normal_6005d26bb2e82.pdf
    • http://betijeduw.getenjoyment.net/kolaravas.pdf
    • https://static.s123-cdn-static.com/uploads/4408190/normal_5fcde24b5c5b6.pdf
    • https://cdn-cms.f-static.net/uploads/4416798/normal_600d5d4fd88e9.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_7e18ee6d123a48fa9077ee762f45609c.pdf?index=true
    • https://691dfa98-c543-4342-b77d-a3d7fbf094aa.filesusr.com/ugd/d55835_4320744e8b684509aab7cc7d4f8c6ec9.pdf?index=true
    • http://nudagimanefej.atwebpages.com/calendario_escolar_sevilla_2020_20.pdf
    • https://37991ae0-d72b-4ccf-bf90-288dedd591e7.filesusr.com/ugd/041b56_8875989cd8ab43068e6d5e8ecc563bce.pdf?index=true
    • https://63209029-b609-4f89-80e5-af59b408cdb4.filesusr.com/ugd/0713e6_80fa616b5e4d4230a53a6324f33aa7a9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7c403a58-dc84-46d9-a3a8-0a962de21ec3/garekagazokijogilokakan.pdf
    • https://uploads.strikinglycdn.com/files/61e8cac0-712a-49f4-95ed-d327763ba080/can_adhd_cause_aggressive_behavior.pdf
    • https://4a0f17ac-6ce6-4c05-9546-25c48d39d9f7.filesusr.com/ugd/cd79e3_bc30c46c9e0e48759e5be8a6b01e644c.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.