Malicious PDF — malware analysis report

Static analysis result for SHA-256 33f7338e79211206…

MALICIOUS

PDF

75.6 KB Created: 2021-03-23 01:10:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f76e3547c1a62e39292e023b0c12aa4 SHA-1: 65045f4e883cd945f820daef534d380232c216e4 SHA-256: 33f7338e79211206f0f0d445c11927d410cc2565d7d0d7f64b01d6cd152dc9bb
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, with one prominent URL suggesting a lure for a "Blue team handbook incident response edition pdf download". The ML classifier and ClamAV detection strongly indicate maliciousness, likely a phishing attempt or a link farm for malware distribution. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8275

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/aws?utm_term=blue+team+handbook+incident+response+edition+pdf+download
    • https://cdn.sqhk.co/wavefekus/djdu6Pa/rujijejuvufaxewasa.pdf
    • https://cdn-cms.f-static.net/uploads/4459326/normal_60464aeea989e.pdf
    • http://ridovise.sportsontheweb.net/26894007203.pdf
    • http://rowowesofazov.medianewsonline.com/ropoxapu.pdf
    • https://cdn-cms.f-static.net/uploads/4373753/normal_605913e02f28a.pdf
    • https://cdn.sqhk.co/zulatobi/dziC4Ox/brasfoot_2019_atualizacao_julho.pdf
    • https://cdn.sqhk.co/foradimotiri/iagjhbr/34610808370.pdf
    • http://kimujedat.mygamesonline.org/cisco_ccna_voice_book.pdf
    • https://uploads.strikinglycdn.com/files/9c9c2cc8-a331-4540-bdd4-ebce116f341e/sivivafavolamazokuma.pdf
    • https://s3.amazonaws.com/wofaxil/72590192484.pdf
    • https://s3.amazonaws.com/zarevizebi/daminulawugomemo.pdf
    • https://590703a0-be71-4d3c-a49f-17767d5969ef.filesusr.com/ugd/656c20_5c041a6e82684db09d1e48e67e1cbd59.pdf?index=true
    • https://b6086c54-8ef4-40f3-ba18-bbbb993b339e.filesusr.com/ugd/36e927_816b46729c394ed79e0f6549b6dede51.pdf?index=true
    • https://s3.amazonaws.com/nijosinizo/lusutisik.pdf
    • https://s3.amazonaws.com/gidibesuxi/alif_lam_mim_lk21.pdf
    • https://uploads.strikinglycdn.com/files/4679529f-d0df-49ea-bacd-09ddca4901c6/memirujumu.pdf
    • https://s3.amazonaws.com/zusevamasor/sanadefu.pdf
    • https://fea67d75-dd3b-4bdd-af05-748e92ec8a52.filesusr.com/ugd/05900a_1222db30b2944603a2c2e0c6fabb8ec4.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.