PDF malware analysis — malicious · 31c6452ad734b21f

MALICIOUS

PDF

53.1 KB Created: 2021-03-14 15:45:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 46a1d5b4b9db905a7134993e1ded3678 SHA-1: a9ca52d952b8439b84c79dc56945582d7a700b12 SHA-256: 31c6452ad734b21fc85524bc765ca7ed8b56a7a46a5be149349c7b29273387e6

174 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document is identified as malicious by ClamAV and ML classifiers, exhibiting characteristics of a phishing lure. The PDF_IMAGE_LURE heuristic indicates it's an image-only document designed to trick users into clicking an embedded action. The PDF_SEO_LINK_FARM heuristic reveals a large number of external PDF links, suggesting a link farm or redirection mechanism. The primary IOC is the URL 'https://baarspo.ru/award?keyword=amoxicilina+bd+bula+pdf', which is likely the initial destination for the phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.7008

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 53 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://baarspo.ru/award?keyword=amoxicilina+bd+bula+pdf
- http://rgtuitp.ru/accu-chek_compact_plus_test_strips_51_eachmm0g9.pdf
- http://securityverifiedservices.com/bolelixigdtqxu.pdf
- https://muwozijazi.weebly.com/uploads/1/3/4/7/134736858/2773649d7c7a1.pdf
- http://dirujadejefogax.iblogger.org/rorodugatojenibinob.pdf
- https://static.s123-cdn-static.com/uploads/4485014/normal_5ff3112f8ead0.pdf
- http://osmosiotzs.fun/hungry_shark_evolution_dinheiro_infinito_apkw0wwv.pdf
- https://static.s123-cdn-static.com/uploads/4413563/normal_5ff8939ca5eab.pdf
- https://cdn.sqhk.co/rijomawonuj/igje9jg/download_we_heart_it_premium.pdf
- https://lorerepurukese.weebly.com/uploads/1/3/1/4/131453396/9bd4c9ae8064.pdf
- https://cdn.sqhk.co/dikapagoloza/Phd2Wtu/90607397091.pdf
- http://new-volosi.ru/60055112141q6zxg.pdf
- https://cdn.sqhk.co/zafowavo/2KEjhsd/79007266129.pdf
- http://axecheat5.xyz/blackberry_link_software_for_pcn76i4.pdf
- https://bojomuse.weebly.com/uploads/1/3/4/4/134462584/8000173.pdf
- https://cdn.sqhk.co/ginijetemepa/ibUjcge/mujonixowezaxu.pdf
- http://xemajerekagow.epizy.com/balance_sheet_explained.pdf
- https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_6e9a31506d5a40e3996291a44e27a9ab.pdf?index=true
- https://7be8961d-effb-4c78-a255-78c3c9f0be09.filesusr.com/ugd/3dd68e_34215f4aa6d64512a5aea257bef8566b.pdf?index=true
- https://72a23b54-95c1-47c0-80d6-f7b1310faeb8.filesusr.com/ugd/65b209_c72d4b306c4c40fd884fc400d05c792c.pdf?index=true
- https://a2876ee3-c470-454a-91e2-e108d831033a.filesusr.com/ugd/e8dba5_ed085de871bc4ff49ad8aff46b08145e.pdf?index=true
- https://1c684d3d-b1aa-4d58-8f8e-408f9cf37fac.filesusr.com/ugd/64d889_ad4d9293d9f744dc90f0d31e4fed78c1.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.