Malicious PDF — malware analysis report

Static analysis result for SHA-256 81b9e078b957f9c5…

MALICIOUS

PDF

49.6 KB Created: 2021-02-13 13:10:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d2bb19e0420630f21f03f4216bfe8ff SHA-1: b91d06b0886aa9988164b9152a32f9b85d0f878d SHA-256: 81b9e078b957f9c5dfaa9408a22a2286dbf1f8db7714069026f9424de1240078
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF file identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains numerous external URLs, many hosted on disposable domains, suggesting an attempt to redirect users to malicious sites. The PDF structure, with minimal text and a large image, is typical for a screenshot-based lure designed to trick users into interacting with embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7338

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 49 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/aws?utm_term=legal+requirements+for+storing+business+information
    • https://bajorenurelop.weebly.com/uploads/1/3/0/7/130739037/tezowusomugitesised.pdf
    • https://static.s123-cdn-static.com/uploads/4372955/normal_5ffbccfb8a09a.pdf
    • https://static.s123-cdn-static.com/uploads/4392209/normal_5fff5bb105a5c.pdf
    • http://stonersfranchise.com/jutadupobemadagkzqwh.pdf
    • https://static.s123-cdn-static.com/uploads/4421466/normal_5fccf78eca482.pdf
    • http://com-copyrighit.com/torn_acl_and_meniscus_surgery_recovery3l0ig.pdf
    • https://cdn-cms.f-static.net/uploads/4369923/normal_601bb7db54e3a.pdf
    • https://megogira.weebly.com/uploads/1/3/4/5/134590171/b15cd31cb6de8.pdf
    • https://tatazopizen.weebly.com/uploads/1/3/1/1/131163492/1774273.pdf
    • https://cdn-cms.f-static.net/uploads/4487201/normal_600adaac0a9c2.pdf
    • https://fekipasipoxow.weebly.com/uploads/1/3/1/6/131637207/841df8de4b.pdf
    • http://form-lnstagramcopyrightservice.com/lord_baden_powell_informationg4a63.pdf
    • https://mejebepagomuda.weebly.com/uploads/1/3/4/4/134494428/3507070.pdf
    • http://vvinorama.fun/80977627600zx9hy.pdf
    • https://s3.amazonaws.com/dosipive/girl_guide_badges_canada.pdf
    • https://s3.amazonaws.com/benubapopikaj/salesforce_certification_path_guide.pdf
    • https://s3.amazonaws.com/gizonukorad/number_system_and_binary_code.pdf
    • https://s3.amazonaws.com/dotivaf/mejupo.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.