Malicious PDF — malware analysis report

Static analysis result for SHA-256 52db95703a416a4d…

MALICIOUS

PDF

59.1 KB Created: 2020-12-21 01:50:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 478ad264b91ea28e54520909c8536a61 SHA-1: 25fcb555f2a9dcfcb063d1c3dea6ac277e94932e SHA-256: 52db95703a416a4d21c5031bfefb40097706bf437786256284633a21278ba549
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, with a critical heuristic identifying it as a PDF link farm. One of the embedded URLs, 'https://traffine.ru/aws?utm_term=yamla+pagla+deewana+movie++bestwap', suggests a potential phishing or malicious content lure. The ClamAV detection and ML classifier further support its malicious nature, indicating it's likely a phishing or trojanized PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6659

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=yamla+pagla+deewana+movie++bestwap
    • https://jaxuwigoba.weebly.com/uploads/1/3/4/2/134266140/gorej_vegamijifawuna.pdf
    • https://getarejiviwos.weebly.com/uploads/1/3/4/6/134683174/kuzipebanuka.pdf
    • https://cdn-cms.f-static.net/uploads/4392470/normal_5f9657a3e7368.pdf
    • https://cdn-cms.f-static.net/uploads/4370273/normal_5f9cae18d1faf.pdf
    • https://cdn-cms.f-static.net/uploads/4407066/normal_5fb037131125f.pdf
    • https://lakujasoramaw.weebly.com/uploads/1/3/4/4/134400634/kojaku-ribuxerotuk-tumakuvolit-nufepe.pdf
    • https://static.s123-cdn-static.com/uploads/4453914/normal_5fc56f79f2508.pdf
    • https://cdn-cms.f-static.net/uploads/4459941/normal_5fbee40a76e40.pdf
    • https://uploads.strikinglycdn.com/files/60dd45b7-d0cb-4f60-8922-6c96bca74d78/grey_water_tank_valve.pdf
    • https://uploads.strikinglycdn.com/files/9d5f4c30-7595-4d04-abc6-3e99573480af/pathfinder_special_materials_guide.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe0a65f81c9a2a0c69670a/1606290022028/89490681433.pdf
    • https://static1.squarespace.com/static/5fc790fbfc603311fbfb0c74/t/5fd152a54013ae1180f631a2/1607553703406/bizabufifubupip.pdf
    • https://static1.squarespace.com/static/5fc382c93398ff75153e5d72/t/5fc7f81780911801a335676f/1606940696601/arkham_card_game_db.pdf
    • https://uploads.strikinglycdn.com/files/5fd19547-549f-4615-9e12-793d7d9596d7/pavosupuzadixolafaza.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.