Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac7cdedee8125a00…

MALICIOUS

PDF

59.3 KB Created: 2021-04-28 13:41:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 3cb3a80ba44b111f87ca73bebcaa4e99 SHA-1: 36f44782b457bc4304706071a4a9b74e5403e49a SHA-256: ac7cdedee8125a00bcb5be060588ef5c8c140303a9d943e4d87bbf2a3fc3daa3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs, with many pointing to disposable hosting and employing UTM parameters, indicating a link farm or phishing lure. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were extracted, the structure and URL patterns are consistent with a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6478

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=power+cooker+recipes+chicken+thighs PDF link annotation
    • https://wesarifalonaba.weebly.com/uploads/1/3/5/9/135961423/5365ea4.pdfIn PDF document text
    • http://zedukibawubige.22web.org/nogibif.pdfIn PDF document text
    • http://rajukilodagoje.mygamesonline.org/35379923275.pdfIn PDF document text
    • http://rajonilelubej.22web.org/john_dewey_theory_of_experience_and_learning.pdfIn PDF document text
    • https://mateboxabivof.weebly.com/uploads/1/3/4/7/134763458/f0766875f4.pdfIn PDF document text
    • https://poxatekegevu.weebly.com/uploads/1/3/4/7/134753674/3333736.pdfIn PDF document text
    • http://silujokiz.mypressonline.com/ajcc_8th_edition.pdfIn PDF document text
    • http://bexunorisomev.iblogger.org/the_managed_heart_arlie_hochschild.pdfIn PDF document text
    • http://nixipidulateva.rf.gd/simple_reading_worksheets.pdfIn PDF document text
    • http://notijukigexu.rf.gd/baldurs_gate_dark_alliance_xbox_360.pdfIn PDF document text
    • https://s3.amazonaws.com/busutafitufe/55814516237.pdfIn PDF document text
    • http://nitobub.rf.gd/appsc_panchayat_secretary_previous_papers_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/730c554e-bf21-40b0-a897-ecde26df1738/dell_755_tower_specifications.pdfIn PDF document text
    • http://vananoxozonu.epizy.com/14025666410.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/beb50c03-8d11-48f6-b17f-aa74498e7309/what_alien_race_is_ahsoka_tano.pdfIn PDF document text
    • http://viduzakovovamu.rf.gd/83995774201.pdfIn PDF document text
    • https://s3.amazonaws.com/tufujifinobiro/florida_space_coast_fishing_report.pdfIn PDF document text
    • http://pidusuzelaju.epizy.com/69461983080.pdfIn PDF document text
    • http://ropupifalapoges.atwebpages.com/wopemim.pdfIn PDF document text
    • https://s3.amazonaws.com/gisujubolidine/kosud.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.