Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1e8c4cfdeecb495…

MALICIOUS

PDF

39.1 KB Created: 2021-06-09 21:10:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fbec0a4a778fe529a554d97995f70b50 SHA-1: 9c137425926907c707263f54ffb80b8cf165d2c4 SHA-256: b1e8c4cfdeecb4953d28a7d28bd42567f641753760732faaae12e447d6ec5428
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains an image-based interface and a single external URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The presence of numerous external links, many pointing to PDF files, suggests a link farm designed to obscure the true malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7465

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 39 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=gta+online+apk+obb
    • https://ninurakabo.weebly.com/uploads/1/3/4/3/134324479/6477016.pdf
    • https://xutogimumunode.weebly.com/uploads/1/3/4/3/134375265/3d7b73196.pdf
    • https://xugomijomib.weebly.com/uploads/1/3/4/5/134578432/a6dd959015a0250.pdf
    • https://uploads.strikinglycdn.com/files/5a3a5b25-fce5-45c7-88b1-1c2ef2ce066b/xeduvide.pdf
    • http://favakiwosut.pbworks.com/f/free_fire_mod_apk_unlimited_diamonds_download_for_mobile_download.pdf
    • https://uploads.strikinglycdn.com/files/82b8467d-34b9-4778-98e3-faac21cb1fe3/ti-30x_iis_online_emulator.pdf
    • https://uploads.strikinglycdn.com/files/7b22416c-d052-4406-86fb-93fb8d3e715b/cessna_caravan_208_garmin_g1000_pilot_training_manual.pdf
    • http://sozevupegufi.pbworks.com/f/setidovurajabamebegap.pdf
    • https://uploads.strikinglycdn.com/files/233c24a6-3cb8-46a9-8857-353ea6323e38/fender_telecaster_neck_dimensions.pdf
    • http://niwomif.pbworks.com/w/file/fetch/144420999/naming_alkanes_alkenes_alkynes_worksheet_with_answers.pdf
    • https://uploads.strikinglycdn.com/files/2c347fdc-cd46-424d-8a14-bd2ec66d3a60/how_do_i_pair_my_bose_remote_to_comcast.pdf
    • https://uploads.strikinglycdn.com/files/2cbde834-1357-4d2b-9733-32ab54f418ed/free_amharic_childrens_books.pdf
    • http://temopifevup.pbworks.com/f/class_1_marigold_book.pdf
    • http://xumamiz.pbworks.com/f/75160528419.pdf
    • https://uploads.strikinglycdn.com/files/fa58807a-93bc-4ba7-ab

Open this report in the interactive analyzer, or submit your own file for analysis.