Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ed85406139409bd…

MALICIOUS

PDF

50.6 KB Created: 2020-12-07 16:19:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04b69aa936ee88d13c7aa2a1b8b0a8d7 SHA-1: 52d5e6d68ef0d2576505ebb1a443fe758a9fff0d SHA-256: 7ed85406139409bdd4ceae19c9c0b5e8a0e00787a872c2318220a67640f7e151
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a large number of embedded links, many of which point to external PDF files hosted on disposable domains. One of the initial links directs to known malicious redirector infrastructure, indicating a phishing or scam attempt. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7198

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=beamer+lyx+template
    • https://kerawitoges.weebly.com/uploads/1/3/4/8/134878251/samuwulelaxegili.pdf
    • https://rifonaro.weebly.com/uploads/1/3/4/6/134679964/zexobezig-dogogeku.pdf
    • https://zepaxanodufinek.weebly.com/uploads/1/3/4/4/134455649/147739b4.pdf
    • https://tojewenegekov.weebly.com/uploads/1/3/4/5/134502344/gexiwukexujetijik.pdf
    • https://rinosebamajipem.weebly.com/uploads/1/3/4/6/134694393/b2a0fa90db867.pdf
    • https://cdn-cms.f-static.net/uploads/4492536/normal_5fb50b9dbd4ae.pdf
    • https://refapolujagosax.weebly.com/uploads/1/3/4/8/134896756/rodokijafukopi-defatitokorule.pdf
    • https://zasuzepomuban.weebly.com/uploads/1/3/4/6/134627511/rotilokibibapej.pdf
    • https://josafobuwevaj.weebly.com/uploads/1/3/4/4/134464642/zivozibu.pdf
    • https://putigazabikikim.weebly.com/uploads/1/3/2/6/132682718/51489.pdf
    • https://s3.amazonaws.com/sasufufa/xomusoravapegibosazedu.pdf
    • https://s3.amazonaws.com/xixonu/81071568567.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.