Malicious PDF — malware analysis report

Static analysis result for SHA-256 50b496ddef6a1b7f…

MALICIOUS

PDF

67.8 KB Created: 2021-06-04 13:38:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 1dca782a4e13f2cd2cafe71b13702c01 SHA-1: b37691ea348696194082d82f7857d2a805adb5e0 SHA-256: 50b496ddef6a1b7fb7f735ac454e938b38018f6d65de7553402cf9612c800807
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file functions as a link farm, containing numerous external links. One prominent URL, 'https://catamma.ru/pbw?utm_term=wrong+turn+3+movie+hindi+download+filmyzilla', appears to be a phishing lure for movie downloads. The presence of multiple external links and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5247

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/pbw?utm_term=wrong+turn+3+movie+hindi+download+filmyzilla PDF link annotation
    • https://lafupoboj.weebly.com/uploads/1/3/1/8/131857117/ee70e6b2.pdfIn PDF document text
    • https://pipawini.weebly.com/uploads/1/3/4/8/134888109/5347343.pdfIn PDF document text
    • https://togawikanow.weebly.com/uploads/1/3/5/3/135320583/zasufuxafimeturok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8cbdc02-a9be-4bef-99f6-9f17c5e6f3d7/24068151391.pdfIn PDF document text
    • http://kepojijudiva.pbworks.com/f/cuanto_equivale_un_pie_en_metros.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9efb143d-f0f2-465f-a701-43ac2f8d4dd6/intervencin_en_crisis_karl_slaikeu_descargar_gratis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1d70f10-a806-44de-986b-1b610ce3b5a9/20250649879.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb800cc0-f9da-422d-b46e-c3270d89c37f/what_are_some_professional_growth_goals.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3993c2af-1e97-44aa-8b0e-e83471a2bde7/inteligncia_emocional_augusto_cury.pdfIn PDF document text
    • http://supijexed.pbworks.com/f/chemical_reactor_analysis_and_design_froment.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d125167-f13c-48ba-aa9f-b90f3614666a/panabiteje.pdfIn PDF document text
    • http://pezeliv.pbworks.com/f/how_to_use_a_prepaid_electricity_meter.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9309c5c-b37d-43b4-ae87-9e451c9ab6b6/easy_way_to_learn_sanskrit_in_tamil.pdfIn PDF document text
    • http://lakebimutep.pbworks.com/w/file/fetch/144419808/manual_al_quran_tagging.pdfIn PDF document text
    • http://furalagaposu.pbworks.com/f/gender_race_and_class_in_media_5th_edition_free.pdfIn PDF document text
    • http://sisagexal.pbworks.com/w/file/fetch/144505140/xodikoluvawob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b3efa06-3a49-4961-99c7-b7ee8e4d4f70/81480744233.pdfIn PDF document text
    • http://xovakovawup.pbworks.com/f/kizizamonemesetejazijos.pdfIn PDF document text
    • http://risoxef.pbworks.com/f/what_is_un_sdg_goals.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d3d57d0-f1e6-418c-b41b-a583ee0a999b/wazilinewativobufafasotas.pdfIn PDF document text
    • http://jetipufagi.pbworks.com/w/file/fetch/144442566/letter_recognition_worksheets_for_preschoolers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d90e05df-1c27-41bd-80f2-1b65341f91f7/pavapiso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e1dd67c-882e-4739-a46b-ef50c2cc7068/pdf_bromatologia_de_los_alimentos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9eec0cf6-3ee3-435c-927b-0019f7d7df54/what_is_the_role_of_my_supervising_social_worker.pdfIn PDF document text