Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c5ec79c5eefabac…

MALICIOUS

PDF

65.0 KB Created: 2021-03-27 16:09:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de5ce5b3c6dc9c889fc725b5b96f389f SHA-1: 74bf61ea1fc7edc7aa0a1fe7f3e4644fbed90c74 SHA-256: 7c5ec79c5eefabac828774b7cd9a641f0db6c8f4f8f6a5a99b22c534a0d0c5e2
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, with one specifically pointing to a suspicious domain ('gimoguvi.ru') that is likely part of a phishing or malware distribution scheme. The PDF's structure and the presence of multiple links suggest it's designed to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9813

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/strik?utm_term=modine+hot+dawg+horizontal+venting
    • http://motubudasuvapan.medianewsonline.com/sahih_bukhari_melayu.pdf
    • http://kugaraginoja.mypressonline.com/balugepomunizipimido.pdf
    • https://static.s123-cdn-static.com/uploads/4485436/normal_60076f05456e8.pdf
    • http://gojawufeki.getenjoyment.net/connecticut_dmv_bill_of_sale.pdf
    • https://cdn-cms.f-static.net/uploads/4424996/normal_5fd65a20cd669.pdf
    • http://cabinetshq.xyz/579147526289p01t.pdf
    • https://cdn-cms.f-static.net/uploads/4415321/normal_60146ee736a29.pdf
    • http://wedevaz.sportsontheweb.net/dirikugopidiregakub.pdf
    • http://cyberghost.store/semupukexovips7j6k.pdf
    • http://mukovasisoro.mygamesonline.org/lemifiporometozuk.pdf
    • http://nadipewin.mywebcommunity.org/scarlett_18i8_2nd_gen_vs_3rd_gen.pdf
    • https://153f2bed-3501-4ec5-9468-ed1987511f6d.filesusr.com/ugd/f67134_02dd69d7ebbc4bc6a86522cf177bae19.pdf?index=true
    • https://s3.amazonaws.com/lorugipopuxe/19167385462.pdf
    • https://s3.amazonaws.com/neporezofov/paint.net_circle_text_plugin_download.pdf
    • http://litorow.myartsonline.com/bullying_fisico_definicion.pdf
    • http://wumugajus.onlinewebshop.net/wexedofe.pdf
    • https://8b62b971-d575-4461-ae89-9de7a2afac08.filesusr.com/ugd/c5a911_88ec21d8865a409393ff11be9dec2a3e.pdf?index=true
    • http://beliraguw.onlinewebshop.net/16729490327.pdf
    • https://7605c768-a471-4169-85a9-0dab509fd250.filesusr.com/ugd/20ab23_f92d6bd744de420ea3cdd1482ae084eb.pdf?index=true
    • https://769966b8-4adc-437e-bba8-f198cf6e171b.filesusr.com/ugd/41a0b6_391b5e193aa54999bf5aa2e04b844db6.pdf?index=true
    • https://s3.amazonaws.com/firigugixujotov/ripemiweni.pdf
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_f065d9ed87894f46b86f9b10cec7859b.pdf?index=true
    • https://s3.amazonaws.com/vezumobigodub/el_libro_de_los_abrazos_galeano.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.