Malicious PDF — malware analysis report

Static analysis result for SHA-256 433dcb75488a68c3…

MALICIOUS

PDF

67.6 KB Created: 2021-02-17 00:34:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 169e332ee33c67e6f8275ef54af91c97 SHA-1: 420a9e75cb842529265b0d5d39cf37801d113925 SHA-256: 433dcb75488a68c36136b76cc73af17ebdf03c3eb233cce807a7195b9c77e586
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs pointing to suspicious domains, and heuristic analysis identified it as a link farm on disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of external URIs and the nature of the URLs suggest the PDF is intended to redirect users to potentially malicious websites for phishing or further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9360

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/aws?utm_term=p90x+plus+workout+lengths
    • http://trynutra.shop/easy_milkshake_recipe_with_vanilla_ice_cream7yhfs.pdf
    • http://alkim.xyz/72029579432cv5u6.pdf
    • https://static.s123-cdn-static.com/uploads/4459624/normal_5ff194323e73b.pdf
    • https://cdn.sqhk.co/jajotulix/jfjhhdw/vector_security_corporate_phone_number.pdf
    • http://whalesqpa.fun/31627468343ieo1j.pdf
    • http://kudretbozaci.com/kawevapxxp7o.pdf
    • https://xaniwunedevivat.weebly.com/uploads/1/3/4/4/134470123/libadanubirukib.pdf
    • http://swast-group.website/the_unfaithful_wife_lynne_grahamkst64.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://borowif.epizy.com/65019991573.pdf
    • http://purevaxa.epizy.com/ceramah_tentang_ibu_yang_bikin_nangis.pdf
    • http://mutidulofof.epizy.com/traitement_du_chlamydia.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb01.bin
813ac72b9307da5d78aacf365fcfdeeaa7f3c4ecd3ee4b273f7053c8ae188025		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB01 5392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.