PDF malware analysis — malicious · 3f6a528856438628

MALICIOUS

PDF

40.8 KB Created: 2021-03-23 20:58:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 139b070003d5dae0b080f9e45b17946d SHA-1: 1280945944de7d678a6b70db7688112af45336c4 SHA-256: 3f6a528856438628fed777c3f76209f68a9b86c2c277b1b562030a41ad4b14a8

174 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by ClamAV and ML classifiers, and exhibits characteristics of a phishing lure. It contains a large number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or a method to distribute further malicious content. The primary external URI, https://gimoguvi.ru/award?keyword=morris+cerullo+books+pdf, is likely the intended destination for the user, potentially leading to a phishing page or a download.

Machine Learning

Nyx PDF Classifier malicious score 0.8712

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 40 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://gimoguvi.ru/award?keyword=morris+cerullo+books+pdf
- http://paruxezogu.mygamesonline.org/60462191094.pdf
- http://gurabagoderes.atwebpages.com/57402715588.pdf
- https://s3.amazonaws.com/rabewiruzitewa/41919342600.pdf
- https://86f5e18a-8766-4ae7-b9bf-31430b627380.filesusr.com/ugd/911c12_732fbc93550f4ccabb575f643c51b1b1.pdf?index=true
- https://s3.amazonaws.com/tapexiw/canon_camera_200d_manual.pdf
- http://bajipodi.epizy.com/18684809326.pdf
- https://s3.amazonaws.com/dujepav/3944330285.pdf
- https://uploads.strikinglycdn.com/files/092a0bb1-d8ca-4986-8bb1-5bc5ce97523a/recolectar_datos_definicion.pdf
- https://s3.amazonaws.com/polexebuj/42502130538.pdf
- https://s3.amazonaws.com/zopenave/2977329179.pdf
- https://s3.amazonaws.com/tinivukedeta/worexomopogek.pdf
- https://7a1f2a0d-094a-4466-88af-72a4af93b9fa.filesusr.com/ugd/22739b_d82b207d21c44452a4caef87f27487e5.pdf?index=true
- https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_3536954c6c3343aab8cf41aedec3229d.pdf?index=true
- http://pidivatepijalaw.epizy.com/mlb_weather_report_tomorrow.pdf
- https://s3.amazonaws.com/sudevejerifu/arcsight_windows_connector.pdf
- https://uploads.strikinglycdn.com/files/5d4ac0fe-297d-4ee3-b539-5f5b9a007590/principios_fundamentales_del_derecho_procesal_civil_dominicano.pdf
- https://uploads.strikinglycdn.com/files/629e2592-3fb2-4c8b-8074-620631a31c17/zovapigadafamasamilupu.pdf
- https://uploads.strikinglycdn.com/files/0d53bfcc-c97c-41d1-8643-ce9ee3a0910b/maths_entrance_exam_questions_and_answers.pdf
- https://s3.amazonaws.com/muvazi/aaron_neville_album_free.pdf
- http://pibanexotobove.rf.gd/nizemabol.pdf
- https://d0fd53c2-66a5-49f7-a942-a4bfc50892a3.filesusr.com/ugd/11baf9_b67a223252bd48769f7c715b48d9011a.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.