Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd60775a9a470f72…

MALICIOUS

PDF

57.2 KB Created: 2021-03-20 10:46:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 52c93319c44b7515575941fbaf0776a1 SHA-1: 5f65f3cc8c0209da83821dc9b9c4fef55ee47433 SHA-256: bd60775a9a470f72282f620a632b3a62c85431add636e386b8fe8af757693ee3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO poisoning tactic. One prominent URL, 'https://crophysi.ru/award?keyword=machinist+hammer+plans+pdf', is directly associated with the document's apparent theme. The ClamAV detection and ML classifier further indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5074

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=machinist+hammer+plans+pdf PDF link annotation
    • https://cdn.sqhk.co/zagusebipin/hxhiqgc/puvubogijopufonoduta.pdfIn PDF document text
    • https://cdn.sqhk.co/kogewole/jjX6ij9/30430284734.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393625/normal_5ff21e160abcc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481285/normal_5ff3ea2a8e35f.pdfIn PDF document text
    • https://cdn.sqhk.co/jojojidatun/a0dZpyx/bezukapopinini.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4405953/normal_6046816666e67.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420761/normal_604332e5bc299.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4454049/normal_5fdd327e63df1.pdfIn PDF document text
    • https://cdn.sqhk.co/xifinelire/jOYxhib/best_deals_on_amazon_prime_day_canada.pdfIn PDF document text
    • https://cdn.sqhk.co/lowanivari/9MRgijj/89559080272.pdfIn PDF document text
    • https://cdn.sqhk.co/bulunazi/isq8hfv/goal._com_english_premier_league_table.pdfIn PDF document text
    • https://s3.amazonaws.com/pusolefosex/51449858304.pdfIn PDF document text
    • https://550dfcec-0280-4316-a0d5-68b74a7a20b9.filesusr.com/ugd/f59309_8eab963d6c934654b2d1eff97c9233ad.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/kofabube/21160351749.pdfIn PDF document text
    • https://044ec7df-721b-4788-b209-87474a3fcb06.filesusr.com/ugd/60ffa2_11ff2f64d7bf48379a6983b3d8871db8.pdf?index=trueIn PDF document text
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_f34cef0ee39b4b6589665cbb9e7e23f0.pdf?index=trueIn PDF document text
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_ef1074d598ea4b65a9b1919cf11e3356.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lebejos/66007467294.pdfIn PDF document text
    • https://s3.amazonaws.com/gurafoga/femaguw.pdfIn PDF document text
    • https://s3.amazonaws.com/musoxifuvitalo/icloud_email_address_format.pdfIn PDF document text
    • https://s3.amazonaws.com/furunumaroxun/why_is_child_led_learning_important.pdfIn PDF document text
    • https://s3.amazonaws.com/jofunozuzof/fimazilijelopis.pdfIn PDF document text
    • https://80c8fd16-4cf8-4f9f-b52b-d6c956df8f3b.filesusr.com/ugd/1a94e8_1156fb73aab44e659974691595fb6cdc.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zoluwivebiro/6809176651.pdfIn PDF document text