Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bd7bbda01569b91…

MALICIOUS

PDF

66.5 KB Created: 2021-04-06 10:13:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 3769c60ba13c8d7a55e5efd6f3bc86e7 SHA-1: 5bad1299756ed343f202158bfa210e9fff515070 SHA-256: 7bd7bbda01569b916fde82a5ca338fb1634703c355f24ce7c592d7ab4c000994
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6329

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=10th+class+chemistry+notes+pdf+federal+board PDF link annotation
    • https://cdn.sqhk.co/nogawevorus/GYVhihj/spongebob_sponge_on_the_run_netflix_release_date.pdfIn PDF document text
    • http://btsworld.org/460062961388jj6l.pdfIn PDF document text
    • http://fionainthefield.org/53890827540wyq3c.pdfIn PDF document text
    • https://cdn.sqhk.co/galudubujuwa/cVKihET/1979_revolution_black_friday_game.pdfIn PDF document text
    • http://demask.space/29549130539gwz9e.pdfIn PDF document text
    • https://cdn.sqhk.co/pixazizaze/iaifid6/cold_dead_eyes_meaning.pdfIn PDF document text
    • http://limecash.xyz/73157187790nkzun.pdfIn PDF document text
    • http://contact-git.top/norton_anthology_of_drama_shorter_3rd_editionnj33b.pdfIn PDF document text
    • http://proita.space/miwalesapenuzokxjyiv.pdfIn PDF document text
    • http://899themes-demo.ru/la_fascinante_historia_de_las_palabras25lkv.pdfIn PDF document text
    • https://cdn.sqhk.co/kiwametin/gehiSij/julio_iglesias_my_life_greatest_hits_album.pdfIn PDF document text
    • https://cdn.sqhk.co/jerizukop/YjCyTPu/xaveponoposuxusu.pdfIn PDF document text
    • https://cdn.sqhk.co/lubometusoz/ggidhcN/livazomezasegamuvujar.pdfIn PDF document text
    • http://obmenkalnr.online/how_to_clean_a_30-30_winchester_model_94nky8p.pdfIn PDF document text
    • http://foyou.store/equest_pramox_pas_cher3fj8d.pdfIn PDF document text
    • https://cdn.sqhk.co/xiladuxe/iX9igig/88365352208.pdfIn PDF document text
    • https://cdn.sqhk.co/pinuwinepasu/jujj36F/good_morning_photo_love_shayari.pdfIn PDF document text
    • https://5926284e-b61c-4ed0-95e5-27b9feedd2c3.filesusr.com/ugd/50c35f_5e0072f8a1c241c39e6842a57075f311.pdf?index=trueIn PDF document text
    • https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_7f854e7f21bd40d4ad7de69d07967132.pdf?index=trueIn PDF document text
    • https://6d23287f-a15b-43b7-8d69-700c0e01f504.filesusr.com/ugd/185c00_83b712790ec441c8ba5b867543e7bc05.pdf?index=trueIn PDF document text
    • https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_79fbe8c81bbd48a9b005137c5a0b6e95.pdf?index=trueIn PDF document text
    • https://9b08d158-0e0f-4203-9b31-e1272d977b1c.filesusr.com/ugd/086daf_fca7e66c85464a1395d9698b0058c340.pdf?index=trueIn PDF document text
    • https://cb38ef3f-1f2c-4622-8962-dca261660167.filesusr.com/ugd/3ae201_e5bfa939fe91446e869e9fe5046e7047.pdf?index=trueIn PDF document text
    • https://7f58a6d3-5723-489e-a2bd-17fd91e1ddd5.filesusr.com/ugd/655495_529de8e09a4f415ba9d27f60f8a2e394.pdf?index=trueIn PDF document text
    • https://856cb5e6-6c81-45ce-9604-b57907a15cd2.filesusr.com/ugd/cc3ca9_7e0f45e58ee142d7b9d660b8fa1b036d.pdf?index=trueIn PDF document text
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_06591bf3f7854b9c9c5f6edec1c38c84.pdf?index=trueIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.