Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0ee1380e8a9752f…

MALICIOUS

PDF

63.5 KB Created: 2021-03-21 09:09:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: da9e1b68bfbbad11992ee587daa7b631 SHA-1: 57061884a3a48ddf54c27a137df6735fe7856b85 SHA-256: c0ee1380e8a9752f31ddbb0d54f81d8609a7ae2d0894fdde16394b2eb4e64da1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, identified as a link farm, pointing to various PDF documents. One of the primary links, 'https://druttle.ru/strik?utm_term=el+nombre+de+jesus+letra+y+acordes+redimi2', is suspicious and likely leads to a phishing or malware distribution site. The presence of embedded URLs and the ML classifier's high score further support the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7657

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=el+nombre+de+jesus+letra+y+acordes+redimi2
    • http://kifejuja.medianewsonline.com/55641915338.pdf
    • http://vasowenotaruso.22web.org/kojirudapunawu.pdf
    • http://powezikunuzumi.iblogger.org/72816499359.pdf
    • http://lufexaxoxak.mygamesonline.org/bacteria_types.pdf
    • http://fesupopimos.66ghz.com/mustache_template_engine.pdf
    • https://3b0fe5ff-7f86-489c-8138-fc984e51136c.filesusr.com/ugd/bfd78a_ee6a2673ebfc46ca9693a51a8933fe89.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c7a717bf-737f-4298-9225-7e986b09e97e/how_to_write_2000_million_in_numbers.pdf
    • http://zivexotafoni.myartsonline.com/xupafuteferaje.pdf
    • http://sosozodazu.epizy.com/23672771945.pdf
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_b626b8faac88475486a163aaba3100d2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c822692f-771a-4a64-89d6-97d3cff6d881/70165699114.pdf
    • https://uploads.strikinglycdn.com/files/a5b655d7-6844-42f4-b7c8-f3543028fecd/vazezed.pdf
    • https://uploads.strikinglycdn.com/files/15bf2d5f-1655-4546-9ba8-b30fae61fca8/95248787472.pdf
    • http://sofibimibojas.myartsonline.com/descendants_2_full_script.pdf
    • https://ed21222e-fee3-4fab-8b52-e2ddb7bb35ab.filesusr.com/ugd/e73fea_cbb9ed869e8f479bb6473480b68d54db.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef5724ce-497b-4c3b-b537-43e92df75d7b/wajuwulokubilupawun.pdf
    • https://uploads.strikinglycdn.com/files/5366dd17-758d-49cf-9741-a62ed6dfc253/diy_dillon_650_autodrive.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.