Malicious PDF — malware analysis report

Static analysis result for SHA-256 25954532b67d42ce…

MALICIOUS

PDF

66.0 KB Created: 2021-04-19 08:40:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8328a2ec301fb240015e3b9b6dc611a0 SHA-1: 514ae957fce0d3f91be118f5da39aa5087b6b7d4 SHA-256: 25954532b67d42cec650c73d43dad01b965c307a0632579ef6ad7a44fbf697ec
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, typical of phishing attacks, designed to trick users into clicking embedded links. It contains numerous external links, including one pointing to 'baarspo.ru', which is likely part of a phishing campaign or a download redirector. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7272

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 65 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=best+stock+market+books+in+india
    • http://zofugef.mypressonline.com/23260447094.pdf
    • https://cdn.sqhk.co/kerutadit/bLiehix/electric_trains_toys.pdf
    • http://wixomebimox.22web.org/40702567874.pdf
    • https://cdn-cms.f-static.net/uploads/4467589/normal_605fd4cc215ff.pdf
    • https://cdn.sqhk.co/negolura/j7jdfRg/linexeduvefav.pdf
    • https://static.s123-cdn-static.com/uploads/4418963/normal_5fc927029143e.pdf
    • https://dagolitufewanat.weebly.com/uploads/1/3/5/3/135345669/norulanuzorowe_ziwizarugovozaz_jizuxavokap.pdf
    • https://cdn.sqhk.co/jojevirelo/8nagjbr/zizujebojak.pdf
    • https://cdn.sqhk.co/vunalogivefu/Jhjmkgg/ninja_blade_pc_game_activation_key.pdf
    • http://foruzakitotilut.iblogger.org/fisiopatologia_doena_de_alzheimer.pdf
    • http://rupaduwovuw.getenjoyment.net/employee_evaluation_form_free.pdf
    • https://tufafoselebore.weebly.com/uploads/1/3/5/3/135389740/juminuserizeg.pdf
    • https://cdn.sqhk.co/mukutosi/hjmgdMN/pipuweluxeduw.pdf
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_f92f4324524e45b8a302b4f400e765ca.pdf?index=true
    • https://1ffb5d6c-d890-49e0-9b87-dc10fbfa49e2.filesusr.com/ugd/8bc2a6_834bdf6071634d20ae0750d6ed5fd923.pdf?index=true
    • https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_6514c3bf956c4f8ba6b36fc873c7d73e.pdf?index=true
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_6db7680c04d34abca59d4ee989f90bfd.pdf?index=true
    • http://feduvuduselus.epizy.com/astaxantina_galena.pdf
    • https://a001dc82-f31e-4944-9b76-0a8e602b6855.filesusr.com/ugd/e4ee87_717a9b4fe74a4e228764cb6a36dd7e11.pdf?index=true
    • http://forevar.rf.gd/innovation_funnel_template.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.