Malicious PDF — malware analysis report

Static analysis result for SHA-256 240048b624b866aa…

MALICIOUS

PDF

63.6 KB Created: 2021-05-08 16:56:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 4f613060a3988b45ced855275390e045 SHA-1: 36a586e36ae465adf1c25e395e7aa63472642c80 SHA-256: 240048b624b866aa8c656a7a461ca0b8040087810d774928c043be12c063251b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5348

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=how+to+clean+salt+chlorinator+cell PDF link annotation
    • http://dufifudusimube.mygamesonline.org/mamonejo.pdfIn PDF document text
    • https://sodipojemip.weebly.com/uploads/1/3/5/3/135325099/tiwafujofewadoki.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4457862/normal_6003003eddebe.pdfIn PDF document text
    • https://nibuduki.weebly.com/uploads/1/3/5/3/135314859/guboxon.pdfIn PDF document text
    • https://binaxigaxixin.weebly.com/uploads/1/3/4/8/134864800/fb0f8a5.pdfIn PDF document text
    • https://tuwureliw.weebly.com/uploads/1/3/4/1/134108737/7244801.pdfIn PDF document text
    • https://bileravufal.weebly.com/uploads/1/3/4/7/134749654/rofojile-vudutawigi-lowelebuwimuso-jofojazo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463266/normal_603034710ad4a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4366000/normal_5ff146f6d23e2.pdfIn PDF document text
    • http://lezigovedavide.getenjoyment.net/calendario_annuale_2020.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385012/normal_605f3c87467f6.pdfIn PDF document text
    • http://mebotus.mypressonline.com/zexesafipuninovata.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462075/normal_60516abaae026.pdfIn PDF document text
    • https://s3.amazonaws.com/zoluwivebiro/93257138343.pdfIn PDF document text
    • https://s3.amazonaws.com/wusone/febuwosevota.pdfIn PDF document text
    • https://s3.amazonaws.com/gapivegek/backyard_baseball_online_mac.pdfIn PDF document text
    • https://s3.amazonaws.com/vebogotexaf/kulejixek.pdfIn PDF document text
    • https://s3.amazonaws.com/minaxigevani/gurebivatesonux.pdfIn PDF document text
    • https://s3.amazonaws.com/nemafu/53160879881.pdfIn PDF document text
    • https://s3.amazonaws.com/lorugipopuxe/sulipezutupemifokoseponu.pdfIn PDF document text
    • http://jokosen.atwebpages.com/mi_gente_translation_english_spanish_dictionary_reverso.pdfIn PDF document text
    • https://s3.amazonaws.com/tozaduliwubega/fokuxudebomawuvajobifat.pdfIn PDF document text
    • https://s3.amazonaws.com/pujirageg/43307326246.pdfIn PDF document text
    • https://s3.amazonaws.com/gozilum/what_is_an_intelligent_battery_charger.pdfIn PDF document text