Malicious PDF — malware analysis report

Static analysis result for SHA-256 b48d2550c2b72f3b…

MALICIOUS

PDF

51.7 KB Created: 2021-03-16 16:58:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: d251ce465f9793180042762a8708eeed SHA-1: d09144224fd6972d914ecdaabed59019fdc749de SHA-256: b48d2550c2b72f3b877b89f0e51a58b0fc0384f6ea3f7e78dbca7255fe54f352
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6386

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=portrait+drawing+tutorial+pdf PDF link annotation
    • http://nemosixumeki.mypressonline.com/xixom.pdfIn PDF document text
    • http://sizuxofutitarax.mypressonline.com/43317532357.pdfIn PDF document text
    • https://pedexanagokol.weebly.com/uploads/1/3/4/6/134635549/suregamar-fajud-sorovid-fedepul.pdfIn PDF document text
    • http://tisimewifexumi.iblogger.org/12311687399.pdfIn PDF document text
    • https://ganalazukomej.weebly.com/uploads/1/3/4/7/134714395/zarememoxemorufudo.pdfIn PDF document text
    • http://jixaravaxagisuf.22web.org/92335509088.pdfIn PDF document text
    • https://dofafurubes.weebly.com/uploads/1/3/4/7/134762343/jatugabanokoxe.pdfIn PDF document text
    • http://varogowarusop.rf.gd/65856545565.pdfIn PDF document text
    • https://0ecef3a8-5193-4df1-8dcb-1b7dd0f2be2a.filesusr.com/ugd/e6092c_5c2190eb7d14449e8dbcabe51b05e1e5.pdf?index=trueIn PDF document text
    • https://2ffa788b-df2f-461f-b9c5-573bec542745.filesusr.com/ugd/374ce0_d702e6cbed8a4652b29290e691621727.pdf?index=trueIn PDF document text
    • https://6baea7ca-81e4-4a11-8410-716433a99462.filesusr.com/ugd/764aaa_661d0daea78348a7b83ed8d2c941a7d4.pdf?index=trueIn PDF document text
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_9b5bdbbe989941a395bd6327279ee286.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/72f2fca2-d1bb-48ba-ab4d-ad9cb36bd593/calcular_volumen_de_prismas_y_piramides.pdfIn PDF document text
    • https://858e1da1-ad31-4e5b-aec0-89c59c6c71f6.filesusr.com/ugd/6240f8_7eca38397df84173a1c02ef4407e9456.pdf?index=trueIn PDF document text
    • http://motodoka.rf.gd/phrasal_verbs_list_download.pdfIn PDF document text
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_65424becdf40463ea79a784f448ce17c.pdf?index=trueIn PDF document text
    • http://ketabigumowun.atwebpages.com/how_to_start_civil_court_proceedings.pdfIn PDF document text
    • https://21a67f6d-2aea-439f-a910-ed4feb6be009.filesusr.com/ugd/173616_006f4362f5ae43baa99f60566f6a3d13.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4bdc5028-62d3-4d53-afa2-e40bb0d9f57f/word_order_exercises_intermediate_level.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5a78052-18c7-4e33-855a-2183b11ba952/fovenodurotize.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eafafbf0-00f3-4b3e-bc47-43d6c82864bb/windows_10_free_upgrade_2019_uk.pdfIn PDF document text
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_e3e9cfe56b564c9eaff2a6eb9eb7d27c.pdf?index=trueIn PDF document text
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_45c68fd99c864a15a99b3ad1dc6594fe.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b913d4b-9269-4373-bb8e-5eed57842689/garmin_nuvi_1390_map_update_2019.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.