Malicious PDF — malware analysis report

Static analysis result for SHA-256 72cb197ca66abb19…

MALICIOUS

PDF

75.8 KB Created: 2021-05-08 07:31:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 7ab6ec2d5c3a6eec4a61b50a4d7b3a9c SHA-1: cf81af31fcf6039cf54b69a522bb351bb25e08f4 SHA-256: 72cb197ca66abb192f41be0981336897df9fca4e308ed1de941921fd551de6be
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including ClamAV and an ML classifier, indicating it is likely a phishing or malware distribution lure. It contains numerous external links, with a critical heuristic identifying it as a PDF link farm or SEO redirector. The primary malicious URLs identified are https://leonvi.ru/strik?utm_term=writer+of+mrs+funnybones and http://welitizenowem.mywebcommunity.org/55446979284.pdf, which are likely used to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=writer+of+mrs+funnybones PDF link annotation
    • http://welitizenowem.mywebcommunity.org/55446979284.pdfIn PDF document text
    • https://sezitoxonuga.weebly.com/uploads/1/3/4/8/134886233/6722382.pdfIn PDF document text
    • http://axecheat8.xyz/the_five_dysfunctions_of_a_team_book4w4f2.pdfIn PDF document text
    • http://xuzerujagojagip.scienceontheweb.net/living_clean_cleaners.pdfIn PDF document text
    • https://ripumunilemaz.weebly.com/uploads/1/3/5/3/135302863/bagadiro_ruzegotigowumak.pdfIn PDF document text
    • http://deflecfcvy.best/computer_salary_jobsld8oe.pdfIn PDF document text
    • https://ruzepekipup.weebly.com/uploads/1/3/1/3/131398244/c02936e67c180.pdfIn PDF document text
    • http://geekcods.com/86440506459flhwg.pdfIn PDF document text
    • http://maxoranano.sportsontheweb.net/purezuni.pdfIn PDF document text
    • https://mekupefaju.weebly.com/uploads/1/3/5/3/135316310/wipinemosijofor.pdfIn PDF document text
    • https://xujebope.weebly.com/uploads/1/3/4/0/134018561/cb4efb62f14a0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/bisegilupuf/21428478955.pdfIn PDF document text
    • https://s3.amazonaws.com/lawakux/michael_vey_book_7_summary.pdfIn PDF document text
    • https://s3.amazonaws.com/najipavez/pc_administrator_password_recovery_software_free.pdfIn PDF document text
    • https://s3.amazonaws.com/nevowimo/quantitative_equity_portfolio_management.pdfIn PDF document text
    • http://motuvogipe.onlinewebshop.net/jurnal_vertebrata_dan_invertebrata.pdfIn PDF document text
    • https://s3.amazonaws.com/rujabepifar/joxuwajurelesojofu.pdfIn PDF document text
    • https://s3.amazonaws.com/fumiposamisur/2019_afl_season_fixture.pdfIn PDF document text
    • https://s3.amazonaws.com/mikibetiv/supimazofutevebut.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC5F 4928 bytes
SHA-256: 0532dfd8fb1f33689df22db8e938d669dc949c9c057a978fdef333e73f737e03
font_01_sfnt_off0000fd22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD22 10872 bytes
SHA-256: 2c1839ba70058aac3d471fd035ff2b93e7b016217c2a947421542a5fbb52b41a

Open this report in the interactive analyzer, or submit your own file for analysis.