Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0db8fe24d5b67ec…

MALICIOUS

PDF

49.6 KB Created: 2020-11-18 04:23:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bda0fe42d787ae44d6313e0857fdf275 SHA-1: dacb94639fdf7aa363f9e7833f87a08ab65fc8e9 SHA-256: c0db8fe24d5b67ec47a1e5c6ea7707480d186bbf5d15b3acbd417d1a9fc6b95f
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is identified as malicious by ClamAV and a machine learning classifier, exhibiting characteristics of a phishing lure. It contains an image-based interface with a clickable link, designed to deceive users into navigating to external URLs. The document hosts a link farm with numerous external links, many pointing to disposable domains, suggesting an attempt to distribute malicious content or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7011

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 49 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=kadamba+kannada+movie+video+songs+free
    • https://xonujofepip.weebly.com/uploads/1/3/4/3/134385468/siturubulusero.pdf
    • https://cdn-cms.f-static.net/uploads/4393019/normal_5fa11ad1de04f.pdf
    • https://cdn-cms.f-static.net/uploads/4413121/normal_5f9cb05c85f3c.pdf
    • https://penusifobituje.weebly.com/uploads/1/3/4/3/134314418/madasadev-dubib-sedevog.pdf
    • https://cdn-cms.f-static.net/uploads/4384035/normal_5faa41efe26c6.pdf
    • https://mekujukoner.weebly.com/uploads/1/3/4/7/134715553/lajojil.pdf
    • https://vorujefam.weebly.com/uploads/1/3/4/3/134322124/66f175.pdf
    • https://wurikosaradusif.weebly.com/uploads/1/3/1/3/131384544/3547591.pdf
    • https://uploads.strikinglycdn.com/files/1d8743db-de13-4a20-a0ef-6c7444c29a96/35274709420.pdf
    • https://s3.amazonaws.com/mujevubutukoxu/ben_hogan_grip_illustration.pdf
    • https://uploads.strikinglycdn.com/files/64aead26-5883-4019-91e4-cff0178ea048/vojitupos.pdf
    • https://uploads.strikinglycdn.com/files/7920f56d-9410-4eff-962b-b7587906dd2a/tukisabixegodebed.pdf
    • https://s3.amazonaws.com/sisaxu/top_gear_botswana_special_episode_number.pdf
    • https://s3.amazonaws.com/takurugilij/49126952076.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.