Malicious PDF — malware analysis report

Static analysis result for SHA-256 aec33f1287cc7c1f…

MALICIOUS

PDF

62.3 KB Created: 2021-05-21 15:51:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e372c6af5b5c30ced24ceccb1eda1cd SHA-1: 59f351aade0b9311f3c760ac1ecd0c971cdedc65 SHA-256: aec33f1287cc7c1f1ac13a0d0c04e4c28c37c16e6885bc16483be7e17cedc9df
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, a technique often used to obscure malicious intent and distribute malware or conduct phishing. The ClamAV detection and the presence of a suspicious URL further support a malicious classification. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate it's designed to lead users to external, potentially harmful, content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4988

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=affidavit+of+undertaking+dswd+pdf
    • https://cdn-cms.f-static.net/uploads/4445115/normal_600c539b2259a.pdf
    • https://static.s123-cdn-static.com/uploads/4495976/normal_6000ff7505ddd.pdf
    • https://funopazotasar.weebly.com/uploads/1/3/1/0/131070342/fecd0ec22a8.pdf
    • https://kivepuwepadile.weebly.com/uploads/1/3/4/3/134392404/2e437ccf4.pdf
    • https://static.s123-cdn-static.com/uploads/4403283/normal_5fe382bf3a502.pdf
    • https://cdn-cms.f-static.net/uploads/4492871/normal_6048fe09454a9.pdf
    • https://juniverobov.weebly.com/uploads/1/3/5/3/135317499/nasetex_rawanefa_foxedodefit_dovogujogu.pdf
    • https://static.s123-cdn-static.com/uploads/4423188/normal_6001413a5fb2a.pdf
    • https://nokifijipuf.weebly.com/uploads/1/3/4/3/134305843/biwupijaf.pdf
    • https://s3.amazonaws.com/defipedibe/the_most_streamed_song_in_nigeria_2020.pdf
    • https://uploads.strikinglycdn.com/files/80c228d5-8ca5-4b44-9098-e437096e25a3/moto_g_3rd_generation_price_in_bangladesh.pdf
    • https://s3.amazonaws.com/bamepofewalada/digital_design_and_computer_architecture_github.pdf
    • https://uploads.strikinglycdn.com/files/f50e9e48-ca30-4cfd-b4c7-bcd4d1d2899c/el_prncipe_maquiavelo_resumen_por_captulos.pdf
    • https://s3.amazonaws.com/murudute/ufw_firewall_guide.pdf
    • https://uploads.strikinglycdn.com/files/9c791945-e379-41d2-84ec-80bd48249201/mitsubishi_mr_slim_remote_not_working.pdf
    • https://uploads.strikinglycdn.com/files/41645302-507c-4ae6-b6e8-31f4a578f74d/how_to_replace_battery_in_black_diamond_headlamp.pdf
    • https://uploads.strikinglycdn.com/files/93e5ec4e-db96-4661-ac08-31d3287d4fa7/99664421579.pdf
    • https://uploads.strikinglycdn.com/files/2ab306d0-3128-4898-954e-5c4599d24ff4/kozodunevomadubevubevo.pdf
    • https://s3.amazonaws.com/suzujewa/soundcloud_er_apkpure.pdf
    • https://s3.amazonaws.com/lekelepowo/93380950454.pdf
    • https://s3.amazonaws.com/lomuper/kexerunitepediju.pdf
    • https://s3.amazonaws.com/zizene/new_york_guide_book_2018.pdf
    • https://uploads.strikinglycdn.com/files/6e0be0e5-4ab9-40af-8568-101d07504c59/canon_mg2520_chromebook.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.