Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c7458559a9b340a…

MALICIOUS

PDF

38.7 KB Created: 2021-03-01 18:48:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: 0cc67d135f18e3ea007fce425afa4884 SHA-1: 41e048e77724b7a66678f14ff130845f1b518aee SHA-256: 9c7458559a9b340a604b3de0fd4f1157842f8b7f0619eb17c0243615340f641d
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document is designed as a phishing lure, presenting itself as an image to trick users into clicking a link. The embedded link redirects to malicious infrastructure that hosts a farm of other PDF documents, likely to further distribute malicious content or phish for credentials. The document's structure and the presence of numerous external links strongly indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7309

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 38 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=what+are+some+fun+quiz+questions+to+the+impossible In PDF document text
    • https://cdn.sqhk.co/besiwowegin/Pha7Fgi/83147669649.pdfIn PDF document text
    • https://cdn.sqhk.co/nilofixogezu/gDidgHC/ginolex.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476011/normal_60135d94ed21f.pdfIn PDF document text
    • https://gujavaluzosozu.weebly.com/uploads/1/3/4/0/134013303/9363119.pdfIn PDF document text
    • https://cdn.sqhk.co/zudilubal/jg09ifd/call_ringtone_app_download_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/ximegawaso/jftwBhj/panic_button_movie_2007.pdfIn PDF document text
    • https://cdn.sqhk.co/delotijuw/2lgdE9y/zepomifesijaposa.pdfIn PDF document text
    • https://fagozozefixus.weebly.com/uploads/1/3/4/8/134846406/zilaruzep.pdfIn PDF document text
    • https://cdn.sqhk.co/mukibusu/fkhhcgi/parent_plus_portal_login.pdfIn PDF document text
    • https://moxizeza.weebly.com/uploads/1/3/3/9/1In PDF document text
    • https://s3.amazonaws.com/mejigavukolu/45106521772.pdfIn PDF document text
    • https://s3.amazonaws.com/vuzufexarevima/anstoss_2_gold_no_cd_crack.pdfIn PDF document text