Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdf2450e89f66ef2…

MALICIOUS

PDF

61.0 KB Created: 2021-05-24 12:49:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 814b3c515e1d8acece12936e89e57816 SHA-1: e27dd6bb5f3e6eb9f9b76e3b7c171b388b914fe1 SHA-256: bdf2450e89f66ef2edb45f750b2d292b0cdb1c6a9a1777d261d39f08fc7f39fd
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3804

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=what+is+the+best+bicycle+engine+kit PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4426812/normal_602f3d67b6bd3.pdfIn PDF document text
    • https://kigadipokifexi.weebly.com/uploads/1/3/0/8/130813079/8edfc4d9a.pdfIn PDF document text
    • https://wanowozuvigamo.weebly.com/uploads/1/3/0/7/130738859/3316041.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4428062/normal_604666b50e329.pdfIn PDF document text
    • https://mawurimi.weebly.com/uploads/1/3/4/6/134661678/3357497.pdfIn PDF document text
    • https://zunezazawegor.weebly.com/uploads/1/3/4/6/134665047/gixomejuledam_lowiman_papubegejesada.pdfIn PDF document text
    • https://lumovomudin.weebly.com/uploads/1/3/4/7/134704265/0a5e3748712a9ba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374976/normal_601af5a0ad6bf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473938/normal_60558587da6aa.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4425504/normal_600235b038430.pdfIn PDF document text
    • https://s3.amazonaws.com/tigewibejageju/cara_gta_vice_city.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e5d54dfb-7224-4c12-8b90-bb895b1823ec/mimagitezevemilovunokid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f517bf2-43bd-4a5f-a48a-bd7bd5a3961e/79073216876.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b596dc8-809f-461b-985d-c0b92aefd0f9/bidemaxoro.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6cdad10-0092-449d-9926-3fa33c2f1cbe/pupopox.pdfIn PDF document text
    • https://s3.amazonaws.com/bomifabipi/nikon_d850_digital_camera_cheat_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/voxulija/67782479391.pdfIn PDF document text
    • https://s3.amazonaws.com/wolina/18239904424.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ba81ca9-613d-485d-ad79-7bcca2c12662/15379144404.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d89a30d1-b70c-40e9-8b18-06bb7d4a4bd2/99343443938.pdfIn PDF document text
    • https://s3.amazonaws.com/wujixus/49969166471.pdfIn PDF document text
    • https://s3.amazonaws.com/teximikamukubo/rikefevelotov.pdfIn PDF document text
    • https://s3.amazonaws.com/vinivuxo/bukigakezi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d12a840-6eba-446a-b66c-7adf2ab30c69/61250655700.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56be363b-e6cc-4da7-82c6-b2630b0b4c72/55054916238.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82366a98-b32c-4efd-9347-a6915747c259/wimuremuniz.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.