Malicious PDF — malware analysis report

Static analysis result for SHA-256 773b2980a42e31e0…

MALICIOUS

PDF

44.9 KB Created: 2021-03-24 01:44:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 813c13f1b03dc4dba99f985083cf78a4 SHA-1: a34a97442e49428289966f56a9ae43fae44fad0e SHA-256: 773b2980a42e31e07aefb4f0bc5af18bec538624cfcb834b4b5f0f15472ac3c2
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is identified as malicious due to its structure, which resembles a screenshot lure designed to trick users into clicking embedded links. The document contains a critical heuristic firing for a malicious redirector link pointing to 'https://yafferge.ru/award?keyword=bibel+pdf+download+kostenlos'. This suggests the primary purpose is to redirect users to a phishing or malware distribution site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7498

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 44 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=bibel+pdf+download+kostenlos
    • http://ppl-nutrshopfit.website/75782423485o55p1.pdf
    • http://housefashion.ru/knot_tying_ceremony_vowsd5tr4.pdf
    • https://jabexigiji.weebly.com/uploads/1/3/2/6/132695602/jeberos.pdf
    • https://cdn.sqhk.co/livefivepa/e1ibkjc/song_lyric_quiz_questions.pdf
    • https://cdn.sqhk.co/lanumakefu/ENjjfEE/tawebum.pdf
    • https://mebifexet.weebly.com/uploads/1/3/1/3/131381374/teguwit.pdf
    • http://hackins.site/how_to_install_water_line_for_refrigerator_ice_makerfgs0m.pdf
    • http://rankingcoach-seo.com/dinigusokidikaxuruxamt8hg.pdf
    • http://hdvideo.design/zovobikipuwurejewekurasijnbkzv.pdf
    • http://dovulup.iblogger.org/lobabufego.pdf
    • https://cdn.sqhk.co/mexovaru/NciiW6d/23052736165.pdf
    • https://cdn.sqhk.co/tawibonikigo/icJij89/hockey_manager_game_ios.pdf
    • http://pasivete.epizy.com/10389826439.pdf
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_43f4000eb1764eab90dda818f56791f0.pdf?index=true
    • https://a134ef9b-a212-4d8e-a35f-da3d896bbd40.filesusr.com/ugd/dadc92_b3c96e5b255341de807456978347e9cc.pdf?index=true
    • https://s3.amazonaws.com/remavuj/ost_tweening_webtoon.pdf
    • http://pabovabavuwemet.rf.gd/93376397203.pdf
    • https://5b949be5-44ef-49af-96c7-0ebaa8fe632e.filesusr.com/ugd/3402b1_2b578e7c243e4c8da6648fe817278a2b.pdf?index=true
    • https://s3.amazonaws.com/resixexi/in_text_citation_apa_report_no_author.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.