PDF malware analysis — malicious · 673f47905d7e8de3

MALICIOUS

PDF

39.0 KB Created: 2021-09-28 23:32:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-21

MD5: 0376152d969081c675d85e368a14e724 SHA-1: 71bd641a083ebb0c8e6199df2e6246a3398173f3 SHA-256: 673f47905d7e8de355f7f4ef7e5812a8e6f4dfd220d500fb159e25c570ceb751

144 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. The heuristic PDF_IMAGE_LURE indicates it's an image-only document with a click-outward action, typical for directing users to malicious sites. Multiple external URIs were extracted, suggesting the document's primary purpose is to redirect users to potentially harmful content.

Machine Learning

Nyx PDF Classifier malicious score 0.8883

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 39 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://medvor.ru/uplcv?utm_term=jarvis+live+wallpaper+free+download PDF link annotation
- https://xn--z4qq44i.tw/upload/actfiles/tebozepoxiregalekujawuro.pdfIn PDF document text
- http://xn--brneneskontor-landsforening-b0c.dk/userfiles/file/6132357365.pdfIn PDF document text
- https://podimercrm.com/img/files/takiwisomapelo.pdfIn PDF document text
- http://myphamnanyno.com/luutru/files/pimekoz.pdfIn PDF document text
- http://tabouligrill.com/ckfinder/userfiles/files/5308595154.pdfIn PDF document text
- http://xn--djr00fsyfv0o5qgy9u.com/filespath/files/20210905113141.pdfIn PDF document text
- https://obermeyer-modemarkt.de/upload/file/movutebokakobedazafi.pdfIn PDF document text
- https://iword.de/userfiles/file/69950351021.pdfIn PDF document text
- https://amadesafar.ir/basefile/amadesafarir/files/jojawonukigisadewuv.pdfIn PDF document text
- http://diagnosticaedilizia.com/userfiles/files/56059738306.pdfIn PDF document text
- http://controlsystemco.com/cache/fck_files/file/zapafemazejawopi.pdfIn PDF document text
- http://www.pes.edu.mn/ckfinder/userfiles/files/97361661499.pdfIn PDF document text
- https://www.kiemtoandongnghi.com/public/plugins/ckfinder/userfiles/files/36921564466.pdfIn PDF document text
- http://thailaundry.com/imgUpload/files/72333512830.pdfIn PDF document text
- http://jungam21.com/upfiles/file/1631843534.pdfIn PDF document text
- https://gulf-rope.com/images/bulk_images/files/25626378389.pdfIn PDF document text
- http://yuanhebiotech.com/upload/files/batofetiwezuje.pdfIn PDF document text
- https://alharithiforcameras.com/ckfinder/userfilesIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.