Malicious PDF — malware analysis report

Static analysis result for SHA-256 59475d507e45e45f…

MALICIOUS

PDF

49.6 KB Created: 2020-12-11 07:31:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: beec331122fb6267e7a7ba2889452a4b SHA-1: b7bdfdf30c31d8ea376d620778a2f46c87dd1d0d SHA-256: 59475d507e45e45f9dc43dd27dc21af374eb5c7d296209d1b013d15805ed6397
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links, with at least one pointing to known malicious redirector infrastructure. The presence of a link farm and a ClamAV detection for 'Pdf.Phishing.Trojan' strongly suggests a phishing or malware distribution attempt. No scripts were extracted, but the document structure and embedded links indicate a malicious intent to redirect the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6742

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?utm_term=quote+template+for+cleaning
    • https://xubupibef.weebly.com/uploads/1/3/4/7/134742940/5021915.pdf
    • https://cdn-cms.f-static.net/uploads/4365600/normal_5fa6961070d93.pdf
    • https://uploads.strikinglycdn.com/files/b87dd5fb-7e93-4e92-a520-090035beed5c/93993726369.pdf
    • https://uploads.strikinglycdn.com/files/68cb2f5d-e5d1-4fb2-8745-b63256333652/mademaxomiso.pdf
    • https://uploads.strikinglycdn.com/files/7c8fa339-2963-48a3-a75d-0ce6e9d17cb1/numbers_in_word_form_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/2f098c6f-a1a5-44d6-821c-c63ee5b98871/determine_the_equations_of_the_shear_and_bending_moment_curves.pdf
    • https://uploads.strikinglycdn.com/files/66abc117-be9a-44ad-82d6-259022b041d2/69770505805.pdf
    • https://uploads.strikinglycdn.com/files/7530fc52-e1bc-41ef-b5c1-9b2cd510be79/xifir.pdf
    • https://uploads.strikinglycdn.com/files/a9355846-147b-4040-8c8c-ad44c71610c9/nchsaa_basketball_playoffs.pdf
    • https://uploads.strikinglycdn.com/files/6624a837-4315-46f4-afbf-dd37fdd6bde9/malaysian_trumpet_snail_babies.pdf
    • https://uploads.strikinglycdn.com/files/f03de70d-c6fb-4804-b86d-93b9ece156ce/helvetica_neue_condensed_bold_generator.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.