Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd7da734584adad3…

MALICIOUS

PDF

49.2 KB Created: 2020-11-25 15:43:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f391dc564367448be56f5a72647d2c49 SHA-1: e472c42c35b94d76f9edfb6afc3eb01c31d4a619 SHA-256: bd7da734584adad3cf7525bb183615ebedcc5da7512c1ab69970b8cd128fcf0a
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by ClamAV and an ML classifier, and it employs a common screenshot lure technique. It contains numerous external links, with the primary one being 'https://trafffe.ru/aws?utm_term=kelebihan+surah+al+mulk+pdf', suggesting a phishing or content-luring purpose. The presence of embedded URLs and the PDF structure indicate an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6643

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 49 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?utm_term=kelebihan+surah+al+mulk+pdf
    • https://cdn-cms.f-static.net/uploads/4373999/normal_5fab3b8777c8c.pdf
    • https://fukudikewug.weebly.com/uploads/1/3/4/6/134686524/xavedagigolut-renugakoz-voxuzulaxo-bupizo.pdf
    • https://cdn-cms.f-static.net/uploads/4402032/normal_5fbdc42cd1023.pdf
    • https://cdn-cms.f-static.net/uploads/4414173/normal_5fa052c781561.pdf
    • https://cdn-cms.f-static.net/uploads/4375195/normal_5f9c855bbf31e.pdf
    • https://uploads.strikinglycdn.com/files/0cbea3c7-315c-47c9-8369-06a51e2c195e/vegimodasupipelabivakixi.pdf
    • https://uploads.strikinglycdn.com/files/4e4cb659-0e2e-489a-be65-a8fa610fbad7/7438208043.pdf
    • https://uploads.strikinglycdn.com/files/63c2179b-34c5-41b3-867b-7e4f11d31e7c/anton_makarenko_poema_pedagogico_res.pdf
    • https://uploads.strikinglycdn.com/files/deb088b8-6961-4566-b77a-6d2b3012f9ad/wozulutijabewafotezepula.pdf
    • https://s3.amazonaws.com/nevowimo/anatomy_and_physiology_integumentary_system_worksheet.pdf
    • https://s3.amazonaws.com/lewuli/wafixowenebanerebodidara.pdf
    • https://uploads.strikinglycdn.com/files/1023e83a-db71-48a6-af22-8f54a582cfe7/37379409312.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.