Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0e81cff27d8b76c…

MALICIOUS

PDF

57.5 KB Created: 2021-03-27 20:05:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a246cd3263e58ff9abe79b4d9a8577e9 SHA-1: a3fe0da4c69dcfc25478af6bdb9b4ff99fb4278f SHA-256: c0e81cff27d8b76c6fc68a1d7446b26fb55be961027a98df06abbdd17722ac48
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous external links, a common tactic for SEO link farms or phishing campaigns. One prominent URL, 'https://fokemale.ru/123?utm_term=bloody+roar+ps1+ukuran+kecil', suggests a lure related to a game, likely intended to deceive users into visiting a malicious site. ClamAV detection and ML classification further support its malicious nature, indicating it's a phishing or trojan distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6420

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/123?utm_term=bloody+roar+ps1+ukuran+kecil
    • http://kevebofuru.medianewsonline.com/boy_scout_popcorn_order_form_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4413109/normal_5fd3a4e244c40.pdf
    • http://shop-onlain.fun/setaruzem21an3.pdf
    • https://cdn-cms.f-static.net/uploads/4366965/normal_601a16a914e05.pdf
    • https://lerozezowigex.weebly.com/uploads/1/3/0/7/130776164/bbb838f5b3ab364.pdf
    • http://superheatbelt.xyz/software_testing_course_fees_in_navi_mumbaisk8pr.pdf
    • http://tezijexipilimo.getenjoyment.net/attractor_factor_italiano.pdf
    • https://cdn-cms.f-static.net/uploads/4458163/normal_604349a4b8a9d.pdf
    • https://pomapufawupufus.weebly.com/uploads/1/3/5/3/135397804/896325.pdf
    • https://cdn-cms.f-static.net/uploads/4371809/normal_60344eb458489.pdf
    • http://sibatike.getenjoyment.net/9186063429.pdf
    • https://uploads.strikinglycdn.com/files/79cda1da-e4cd-446f-b3ac-1e7bf50be897/81572633234.pdf
    • https://uploads.strikinglycdn.com/files/207ae887-d25e-42e4-a076-761c66306c73/dd_dungeon_masters_guide_5e.pdf
    • http://koduwutuvage.onlinewebshop.net/sinuwog.pdf
    • https://uploads.strikinglycdn.com/files/e6fe6cde-e93b-4c3b-863f-c81a46cee89e/38782364623.pdf
    • https://uploads.strikinglycdn.com/files/e3b6b6b2-4c42-46b4-931c-81b985e316ae/87770257000.pdf
    • https://uploads.strikinglycdn.com/files/4bcf4b4d-19f0-4f73-bbb0-4bc1fe0fa93e/46920970435.pdf
    • https://uploads.strikinglycdn.com/files/5c5226cf-82ab-47b8-8f73-59260db03a16/is_it_worth_building_your_own_home.pdf
    • https://uploads.strikinglycdn.com/files/1e62798d-77f1-4c98-b23e-bbe18149b68c/1927452195.pdf
    • http://vexabimumemig.atwebpages.com/96788861969.pdf
    • https://uploads.strikinglycdn.com/files/bc5c1b8d-71ca-46c0-868a-e4b0bfae346f/stampante_samsung_xpress_c480fw_manuale.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.