Malicious PDF — malware analysis report

Static analysis result for SHA-256 be7457313cb0b031…

MALICIOUS

PDF

84.6 KB Created: 2020-12-07 12:58:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b740f6091464aa28eceaedd583adeeb9 SHA-1: 5e0896900cd7e35c4d9e646f6faf63f29ae76a7c SHA-256: be7457313cb0b0316d0273d4d858d2433d6a24707b5b238ffa5e3d18a366ea4b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is a PDF document that contains a large number of external links, many of which are designed to appear as legitimate search results or document downloads. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, suggesting a tactic to drive traffic to various sites. The ClamAV detection and ML classifier further support its malicious nature, likely for phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8955

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=duchess+of+malfi+pdf+with+line+numbers
    • https://cdn-cms.f-static.net/uploads/4392867/normal_5f8f1cdc79608.pdf
    • https://dofazodasi.weebly.com/uploads/1/3/0/8/130873943/4368256.pdf
    • https://cdn-cms.f-static.net/uploads/4379359/normal_5fb9c960b716c.pdf
    • https://cdn-cms.f-static.net/uploads/4390055/normal_5f90c89f09df0.pdf
    • https://cdn-cms.f-static.net/uploads/4374024/normal_5fa0b78a2b422.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/zurefepetoz.pdf
    • https://cdn-cms.f-static.net/uploads/4378846/normal_5f9599275c136.pdf
    • https://static1.squarespace.com/static/5fc0ecedbf71053ccb1052a5/t/5fc45619bc819f1cf4630c81/1606702618877/33567811560.pdf
    • https://uploads.strikinglycdn.com/files/f8cdbffd-24d2-44ee-b8f3-d382a33ead53/56107246065.pdf
    • https://static1.squarespace.com/static/5fc4f5382bbd740658208855/t/5fc56f6fe18c5c478eb35f30/1606774643824/vadets_workbook_answers_module_1.pdf
    • https://uploads.strikinglycdn.com/files/dc9709da-c8f5-48f7-9a98-0dc64e7b79d8/tixovosuw.pdf
    • https://uploads.strikinglycdn.com/files/727cdc3a-e149-4d10-a9c7-69f29208da52/apartheid_in_south_africa_1948_1990_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/ce616ca9-c008-4bc1-8aba-87e935ede10e/booster_pac_es5000_manual.pdf
    • https://s3.amazonaws.com/vunizi/deterexakanojozo.pdf
    • https://s3.amazonaws.com/rimejiguvif/hyperbole_practice_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/0d2732c9-e86c-45a4-a8a8-164a4f6693e2/samsung_un40eh5300_40-inch_1080p_60hz_led_hdtv_2012_model.pdf
    • https://static1.squarespace.com/static/5fc144361c8c7413143450ce/t/5fc29545e18c5c478e4fc49a/1606587717560/35732333472.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.