Malicious PDF — malware analysis report

Static analysis result for SHA-256 76868e326294e34f…

MALICIOUS

PDF

103.4 KB Created: 2021-04-29 05:35:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59ffeda1178986c5cf4992f1979834ba SHA-1: 543d29b23d537dd05365783b99943d87f4e8007a SHA-256: 76868e326294e34fbe6fa250fd6d5c41ba6f902233731fc24c84f6008cd75e1c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were extracted, the presence of numerous URLs points towards a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9466

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=what+happened+to+the+ute+tribe
    • https://cdn.sqhk.co/gufezitaxato/2J2rsjw/4518800005.pdf
    • https://cdn.sqhk.co/dezorevukor/ggijGhg/easy_language_translator_not_responding.pdf
    • http://ganitigusawev.mygamesonline.org/24517491528.pdf
    • http://xilibinebosapeg.mywebcommunity.org/old_man_and_the_sea_notes.pdf
    • https://wotuterivakevom.weebly.com/uploads/1/3/4/6/134608936/gedab.pdf
    • https://renobikedasel.weebly.com/uploads/1/3/4/8/134897329/siwaligapabokalovoso.pdf
    • https://kiwakobomu.weebly.com/uploads/1/3/1/4/131482833/59bef0556221.pdf
    • https://cdn.sqhk.co/rewagujil/d5MO9hr/superhero_costume_creator_mod_apk.pdf
    • https://cdn.sqhk.co/wazilisiko/rOhiie9/wovofubutatavajefes.pdf
    • https://cdn.sqhk.co/gerukoso/3wjc9cG/bukakinigare.pdf
    • http://tefetuzuzip.myartsonline.com/gre_analytical_writing_pool.pdf
    • https://2b81f3f0-3f46-42ff-87a7-5865dd96cd3c.filesusr.com/ugd/fb41f9_c135b6dfdf874a02b0a6c44bd4b9cea3.pdf?index=true
    • https://24d1f61b-f5c5-4d2f-8180-62589f44e8d8.filesusr.com/ugd/eed56f_89de927913dd4c46bee01d80f94aaf3b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/de96110b-7027-4ed8-8e1a-ddad3da4939e/texas_sex_offender_registry_map.pdf
    • https://uploads.strikinglycdn.com/files/85b80ae1-de06-465c-8e3d-0b032618d815/wikumotaso.pdf
    • https://uploads.strikinglycdn.com/files/009cc591-f417-4d4e-b245-7861a422e462/how_long_do_you_cook_a_pork_loin_roast_in_a_pressure_cooker.pdf
    • https://30fe55a9-f0c7-4aec-9bf5-b9d2225d99a8.filesusr.com/ugd/c4a51e_3d67d0a9be7c459fa52c9644da26e5a2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/758e578b-cc74-47f4-9417-f1c285cd5956/kiwoxoxijoxuxejeso.pdf
    • https://uploads.strikinglycdn.com/files/33572110-d5ec-4ac9-b640-54021650569e/what_to_expect_after_cortisone_shot_in_back.pdf
    • https://66547991-fb4b-492c-b271-2b6457db34f0.filesusr.com/ugd/a98e70_34cb9f16df1a43e698e4de6e2db1443c.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.