PDF malware analysis — malicious · a5dfd9dc6194d9a0

MALICIOUS

PDF

47.1 KB Created: 2021-03-30 19:22:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: aa56d736e7ca4e62af63335f476f4490 SHA-1: 42008092afc7ee06ed4c64b11387a71bd6d0d64f SHA-256: a5dfd9dc6194d9a0e3ec31d27ac70bc11bab6f0d1a1ad5b4d6bad87246928b13

144 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains an embedded URL that directs to a suspicious domain, likely intended to deliver a second-stage payload or phish for credentials. The document's structure suggests it's an image-based lure designed to trick users into interacting with the malicious link.

Machine Learning

Nyx PDF Classifier malicious score 0.7585

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 47 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crophysi.ru/strik?utm_term=mother%2527s+day+wisdom
- http://meetlait.pro/samsung_hw-j550_wall_mountqbc4m.pdf
- http://budokudepa.scienceontheweb.net/affiliate_business_model.pdf
- http://qwonder.space/vonagikazosadezupegesolep44q12.pdf
- http://pasikufopubiwo.mypressonline.com/lusem.pdf
- http://logowiwubapokar.iblogger.org/zilogon.pdf
- http://zafenoro.scienceontheweb.net/english_words_meaning_in_telugu.pdf
- http://xixizugujixu.iblogger.org/totonorilo.pdf
- http://idealsit.space/how_to_set_keyboard_shortcuts_premiere_probsoc4.pdf
- http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
- http://noxegasi.iblogger.org/gofoxiwaxumosigolufojajed.pdf
- http://nomiwiturej.getenjoyment.net/active_and_passive_sentences_worksheet.pdf
- https://2e5cbe44-7de3-4e3f-b94c-8a8567814465.filesusr.com/ugd/f96b02_e2dc3e70dfce4652abfcdb00e428c0a5.pdf?index=true
- https://uploads.strikinglycdn.com/files/d65328ca-9250-48f6-a270-be870af4d852/percy_jackson_the_lightning_thief_book_cover.pdf
- http://madojizekikozor.epizy.com/gat_subject_management_sciences_mcqs_with_answers.pdf
- http://limepupotof.epizy.com/68552590803.pdf
- https://uploads.strikinglycdn.com/files/625c46d9-0864-4183-b53b-62a3f36d7591/71594616865.pdf
- http://tagapibit.epizy.com/convict_conditioning_2_trifecta.pdf
- http://pavadujutupa.epizy.com/8963402516.pdf
- https://uploads.strikinglycdn.com/files/7b7f38bf-56ee-4959-9c35-232c62848e95/rigixipanipu.pdf
- http://xerozodofuvu.epizy.com/starbucks_almond_milk_frappuccino_calories.pdf
- https://23da7c74-6e14-424a-b22a-901aa35eafb1.filesusr.com/ugd/9cc572_c5f1ad101c7e405e94142774dfe9779f.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.