Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bbe8f5c03dff2e6…

MALICIOUS

PDF

50.6 KB Created: 2020-12-21 23:14:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ca9c99e627435d5a54ecca682a875c9 SHA-1: 8be9cbeccce1ee66790d7f77a99e5a91634c9911 SHA-256: 9bbe8f5c03dff2e678327b22fa218aea3bab2367609638d3cbbd4620eb0ca109
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which are to benign-looking PDF files, suggesting a link farm or SEO manipulation tactic. One embedded URL, https://traffnew.ru/aws?utm_term=befikre+hd+movie++pagalworld, is flagged as unknown reputation and is likely part of the malicious infrastructure. The ClamAV detection and ML classifier further support its malicious nature, indicating it's a phishing or trojan distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6781

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=befikre+hd+movie++pagalworld
    • https://dolujutizividev.weebly.com/uploads/1/3/4/8/134864897/beminamikakiw.pdf
    • https://gizipiwiro.weebly.com/uploads/1/3/1/4/131454158/nakozaxadojutidu.pdf
    • https://bofuvuwowu.weebly.com/uploads/1/3/1/8/131856225/tasafizonejewa.pdf
    • https://pevugubak.weebly.com/uploads/1/3/2/7/132740457/07466540.pdf
    • https://duvupobilalef.weebly.com/uploads/1/3/4/6/134630448/julalizulajubesano.pdf
    • https://uploads.strikinglycdn.com/files/b57cbfc3-89fc-402e-aaa3-d05c728fd616/map_skills_navigator_teacher_login.pdf
    • https://s3.amazonaws.com/rekorewexidiwo/44536231755.pdf
    • https://uploads.strikinglycdn.com/files/c9cb619f-6e77-4804-aa8a-5ec9ab0d1ddd/7981803465.pdf
    • https://uploads.strikinglycdn.com/files/3d7e0341-fb35-4830-ab04-70249f318751/17554046550.pdf
    • https://s3.amazonaws.com/fenatagazise/hernia_de_disco.pdf
    • https://uploads.strikinglycdn.com/files/a108492e-98a2-4510-96a2-1f3c69ddc42a/mutiwanatumidivarujujurez.pdf
    • https://uploads.strikinglycdn.com/files/0b805326-0c30-49e2-9555-b86a735a0b76/market_sizing_questions.pdf
    • https://uploads.strikinglycdn.com/files/a939c404-5bc0-42df-b11d-723b15f3fc3a/bigepafe.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.