Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a1fae1890c701dd…

MALICIOUS

PDF

63.2 KB Created: 2021-04-11 03:17:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3ac7c54aba93656d9053619d84b2fad SHA-1: 0534369446e43089bfe1a1d0a99dac80c1971c87 SHA-256: 8a1fae1890c701ddb4432e29456ac7aa271e2204dd14f058a864700e4435a74f
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious due to its structure, which resembles a screenshot lure designed to trick users into clicking embedded links. It contains a mass of external PDF links, with one prominent URL pointing to a potential phishing or malware distribution site. No scripts were extracted, but the PDF structure itself suggests an attempt to deliver a malicious payload or redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8879

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 63 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/strik?utm_term=what+are+reading+comprehension+questions
    • https://cdn-cms.f-static.net/uploads/4470972/normal_6048d39f89cbb.pdf
    • http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
    • https://cdn-cms.f-static.net/uploads/4391000/normal_603e6cd4b0fbb.pdf
    • http://vzruvayarttraff.xyz/lotav5cs5p.pdf
    • http://helen-art.ru/asus_rt-ac87u_wireless_ac2400_dual_band_gigabit_routeret6p6.pdf
    • https://cdn-cms.f-static.net/uploads/4462727/normal_60640eb7dae17.pdf
    • https://static.s123-cdn-static.com/uploads/4462056/normal_5ffcf980cfabf.pdf
    • https://cdn-cms.f-static.net/uploads/4477620/normal_5fd648030f6ea.pdf
    • https://cdn-cms.f-static.net/uploads/4421200/normal_603b2820049ff.pdf
    • https://cdn-cms.f-static.net/uploads/4374860/normal_602c59ac75e17.pdf
    • https://cdn-cms.f-static.net/uploads/4393186/normal_60652e8aaf87e.pdf
    • http://adachivia.store/how_to_calibrate_kitchenaid_superba_ovenmms7z.pdf
    • https://static.s123-cdn-static.com/uploads/4476302/normal_5fcbe2ce750b1.pdf
    • https://s3.amazonaws.com/dazawojob/jowiwo.pdf
    • https://s3.amazonaws.com/donake/vector_map_of_the_world_with_country_names.pdf
    • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_284091b7ca604ef38346f86129341064.pdf?index=true
    • https://b6e49935-6d58-4bde-831f-6e0b746776d3.filesusr.com/ugd/7d321f_37bf31fa922642d99dada9dcb2c9314a.pdf?index=true
    • https://s3.amazonaws.com/bulikowexunepov/bidafajupanapapofaxorufo.pdf
    • https://36535336-4f9e-4c0a-b1ad-3385cb5d4299.filesusr.com/ugd/15ebe2_0a3902c91a0c447e8913dc065dc9dc86.pdf?index=true
    • https://s3.amazonaws.com/pekatikisuruki/bilateral_hemianopia_case_report.pdf
    • https://s3.amazonaws.com/banula/android_tv_box_certified_devices.pdf
    • https://s3.amazonaws.com/vufuzewasi/easy_video_cutter_pro_apk_free.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.