Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd87de66e30a6468…

MALICIOUS

PDF

50.6 KB Created: 2021-03-19 17:20:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 9efa1674996fd243a2fa9efcfa5be9a3 SHA-1: f7b71d66c2edf7521e5523afe3c33713a917c6a8 SHA-256: bd87de66e30a646831ff2134665baed6f20c0140ebbc80166fbf0bf2db217f0a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links to external PDF documents, many hosted on disposable domains, indicating a link farm or SEO manipulation tactic. Several heuristics confirm this, including PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM. The ML classifier also flagged the PDF as malicious. While no scripts were extracted, the nature of the links suggests a potential distribution vector for malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9372

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/aws?utm_term=construction+cost+estimate+book+pdf In PDF document text
    • http://sakulog.sportsontheweb.net/get_tough_approach_to_crime_definition.pdfIn PDF document text
    • https://cdn.sqhk.co/reromiwo/cWjinXw/rubber_chicken_dog_toy_uk.pdfIn PDF document text
    • https://karawabinu.weebly.com/uploads/1/3/1/4/131453718/6204496.pdfIn PDF document text
    • https://cdn.sqhk.co/potekovibe/WUh3Rif/browser_turbo_super_fast.pdfIn PDF document text
    • https://cdn.sqhk.co/jabisopomuxo/iid99Fn/94519009683.pdfIn PDF document text
    • http://vizexibidoxi.getenjoyment.net/pugaboguvodevafewukiz.pdfIn PDF document text
    • https://nofuxufemi.weebly.com/uploads/1/3/2/6/132681390/gopup.pdfIn PDF document text
    • https://cdn.sqhk.co/volumusigu/jd1iejh/vajetipabikulubovenupewo.pdfIn PDF document text
    • https://cdn.sqhk.co/feguzuvubut/hbfZgdL/funny_gifts_for_mens_40th_birthday.pdfIn PDF document text
    • https://beperupofifu.weebly.com/uploads/1/3/1/6/131636755/30a58.pdfIn PDF document text
    • http://mekujoviwe.mypressonline.com/83727889846.pdfIn PDF document text
    • https://xikunozazoteta.weebly.com/uploads/1/3/1/4/131453294/e3279a74c9f65.pdfIn PDF document text
    • http://pigigozoruda.mypressonline.com/of_mice_of_men_chapter_3.pdfIn PDF document text
    • https://digokevun.weebly.com/uploads/1/3/4/7/134747151/mirofanuzaj.pdfIn PDF document text
    • https://6afed14e-2b01-442b-8c2e-11a8a6f39965.filesusr.com/ugd/46a5ae_56f8e2d00d1a4f93a3b41069ac7922e7.pdf?index=trueIn PDF document text
    • https://d71fc03c-aea6-48f7-a990-8afffb22108d.filesusr.com/ugd/3de8a6_e6fabd887a05403dba359fe79109fd64.pdf?index=trueIn PDF document text
    • https://84d5b3ab-51dd-4312-87b7-51df18fb3b26.filesusr.com/ugd/9ea9b6_aa9e5ee8e5e5404f8e6f642a2175dc15.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9894a717-962a-4ec0-97ba-58e1c7cd5a74/xerisesinaxamelip.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/95a56ded-3a35-4537-8521-aaff349c8d84/vegizi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/04fcf073-4c9b-4d2f-b91c-aeaafc914df9/nisipiwobumew.pdfIn PDF document text
    • https://07e0a16e-b77d-475b-b724-88bbaedb347c.filesusr.com/ugd/8e9e2f_e03053978ebf4d32972a39315cc98789.pdf?index=trueIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.