Malicious PDF — malware analysis report

Static analysis result for SHA-256 2334cf122057de3d…

MALICIOUS

PDF

41.4 KB Created: 2020-12-13 14:57:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c7e2897d0679dd9e7a16662b8604944 SHA-1: 7200b6bfcda364482ea8c9b913523ab3aa43eda4 SHA-256: 2334cf122057de3d166c9e783e4f37cd5482dc56bdcbf6ab166f623b7f2a279c
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. The 'PDF_IMAGE_LURE' heuristic indicates it's an image-only document designed to trick users into clicking an embedded URI. The presence of numerous external PDF links, including 'https://gofobodobade.weebly.com/uploads/1/3/4/4/134444694/9476ad48b.pdf', suggests a link farm or a mechanism to redirect users to malicious content. The primary external URI observed is 'https://traffine.ru/aws?utm_term=baidu+root+apk+mirror'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8178

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 41 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=baidu+root+apk+mirror
    • https://gofobodobade.weebly.com/uploads/1/3/4/4/134444694/9476ad48b.pdf
    • https://nogapixefakul.weebly.com/uploads/1/3/4/5/134590999/4832420.pdf
    • https://cdn-cms.f-static.net/uploads/4486975/normal_5fba16e48655a.pdf
    • https://nopiwevupemaro.weebly.com/uploads/1/3/4/6/134653234/tavujewoxudivaluzox.pdf
    • https://lexigeme.weebly.com/uploads/1/3/4/5/134524735/316ae.pdf
    • https://cdn-cms.f-static.net/uploads/4377678/normal_5f93c0e90cb23.pdf
    • https://static.s123-cdn-static.com/uploads/4416299/normal_5fcbc2dd44752.pdf
    • https://soxokelu.weebly.com/uploads/1/3/4/4/134494323/4726507.pdf
    • https://cdn-cms.f-static.net/uploads/4391909/normal_5fc136c47be77.pdf
    • https://cdn-cms.f-static.net/uploads/4424933/normal_5fa4b24256ca2.pdf
    • https://jonapofa.weebly.com/uploads/1/3/4/6/134699055/c5b0bb.pdf
    • https://uploads.strikinglycdn.com/files/3a820ce0-24a0-4108-a44e-971570ed33e9/25258665935.pdf
    • https://s3.amazonaws.com/zabejuvijolu/levodopa_dosage_form.pdf
    • https://uploads.strikinglycdn.com/files/b94ef90d-0243-4864-915a-df6c557ee72d/xazovobewemaluvobemuluxot.pdf
    • https://static1.squarespace.com/static/5fc36ab7a879396864183595/t/5fd1abb01693665fc7cf63b8/1607576501486/pezejisavopupebuwe.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.