Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e5aed9aed90b1ad…

MALICIOUS

PDF

58.6 KB Created: 2021-03-13 19:45:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8979844f73702d96abfa947ecd7991e8 SHA-1: ad6b5d532d12145e1685ec2d68c8ce1128e81fed SHA-256: 8e5aed9aed90b1adb4c700b7d50dba3d2564ea6da6d767cd2d4931ab5a017e2c
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF that contains embedded links to suspicious domains, including one that is explicitly flagged as a lure. The ClamAV detection and ML classifier further indicate malicious intent. The PDF appears to be a phishing lure, directing users to a secondary malicious PDF hosted on a suspicious domain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6619

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=autosys+commands+in+unix+pdf
    • https://cdn.sqhk.co/tumosirewuw/Rhas6Dp/jegib.pdf
    • https://cdn.sqhk.co/zikufivol/SNiguih/xakekavejebebevijarebif.pdf
    • http://securityofusersdevicesonline.site/34240877242hczb4.pdf
    • http://werenntaq.online/1_phase_and_3_phase_motor_differencee4sap.pdf
    • http://idealicacolumbia.site/rupawemiwikojupabidex3boeg.pdf
    • https://static.s123-cdn-static.com/uploads/4374380/normal_5fdf803dbef2b.pdf
    • http://teasmall.space/get_more_likes_on_tiktok_without_human_verification5v8yl.pdf
    • https://cdn.sqhk.co/kizulajeli/yjeAxyC/gudakimeliwuleluluziz.pdf
    • https://cdn-cms.f-static.net/uploads/4417653/normal_5fd3c9a7da626.pdf
    • https://static.s123-cdn-static.com/uploads/4388037/normal_5ff802ef2404a.pdf
    • https://s3.amazonaws.com/gavexilatuvitaz/agricultural_research_paper.pdf
    • http://doroxokile.epizy.com/21534190966.pdf
    • http://povalimokuwov.rf.gd/tubox.pdf
    • https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_241c80a0053849d1a32ae832e57bb9d9.pdf?index=true
    • https://s3.amazonaws.com/rovuweraja/how_to_start_birthday_planner_business.pdf
    • https://s3.amazonaws.com/ninasivol/judutizoz.pdf
    • https://6363ce23-9394-4102-a476-7be320345719.filesusr.com/ugd/7c41c1_d18bdee2ec77474da718d21e6defe67c.pdf?index=true
    • https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_74053b90094e4a81bb8fd39266d14d5e.pdf?index=true
    • https://s3.amazonaws.com/panalipolifod/wuwepaji.pdf
    • https://s3.amazonaws.com/sajezife/kaduwutodunogib.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.