Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e99b9fa8c35eb93…

MALICIOUS

PDF

43.5 KB Created: 2021-03-31 16:32:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: efe2a7a75c476abc95c9a5bb01e9f423 SHA-1: 11bb7fa43ea0dc38e1bf746a928e9050bb5ca574 SHA-256: 7e99b9fa8c35eb93537603e2d39f878adc10445e46cd89d0223f776d34015077
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. The PDF contains a single image and minimal text, typical of a screenshot designed to hide a clickable link. Multiple external URLs are embedded, suggesting a link farm or redirection to malicious content. The document's structure and embedded links strongly indicate an attempt to direct users to external sites for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8080

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 43 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=theory+of+biogenesis+and+abiogenesis+pdf
    • https://cdn.sqhk.co/bugininaxi/cFjjibN/kabarepiwek.pdf
    • https://sipovabamekejo.weebly.com/uploads/1/3/5/3/135391609/xirufupuperakajezisa.pdf
    • https://rotasemenedifo.weebly.com/uploads/1/3/5/9/135985080/kerinazenopoz_sokatomixifuxe.pdf
    • https://kuruxeronujupo.weebly.com/uploads/1/3/4/4/134477992/zuxanujim.pdf
    • https://kiluzamomumu.weebly.com/uploads/1/3/5/3/135344913/bizasider_rakeniloluranup_lopemoleboje.pdf
    • https://pananufizusa.weebly.com/uploads/1/3/4/4/134445813/dilerapifit.pdf
    • https://kesozelakix.weebly.com/uploads/1/3/5/3/135300748/ligisonibude_sovefalaludez.pdf
    • https://pawawejovotete.weebly.com/uploads/1/3/2/8/132814611/8f34190da.pdf
    • https://sirewuri.weebly.com/uploads/1/3/5/2/135298631/e4a9b46400.pdf
    • https://cdn.sqhk.co/xurawupo/ouqdvgc/dune_2020_trailer_leak_images.pdf
    • https://6f2fb29c-15f2-4b08-b525-3eb91a7f0a41.filesusr.com/ugd/c3548c_16aee39fd97c48bc80c4d30afeb4f6a7.pdf?index=true
    • https://s3.amazonaws.com/wanalovum/83260705960.pdf
    • https://s3.amazonaws.com/turip/apbn_2020.pdf
    • https://926da24b-d3df-4aea-ac1b-ebdf7359a9e7.filesusr.com/ugd/fef925_0baa0edf7ff242ed91187bd01700b98c.pdf?index=true
    • https://s3.amazonaws.com/damerirazib/siren_season_3_episode_guide.pdf
    • https://2ae8fa2d-8b21-4cd7-bd94-b44763fb9b4d.filesusr.com/ugd/8e1ec7_8379a49ec49c42bea8e85993589031aa.pdf?index=true
    • https://s3.amazonaws.com/duzexefemosaxe/10_best_resistance_band_exercises_for_arms.pdf
    • https://s3.amazonaws.com/jojitagifuva/puparara.pdf
    • https://04a80c79-134c-446e-801b-0c1635678e59.filesusr.com/ugd/5cebf8_03f0edbb8a8145caaa38579a3b9ab306.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.