Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5872eda4e1a934b…

MALICIOUS

PDF

64.0 KB Created: 2021-04-02 17:55:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a46f2e0103a2976fdf6c282b0fa5d5a SHA-1: f2a3784c767723d21fd1c15896a5aa7b99393df6 SHA-256: c5872eda4e1a934ba3ac183c49e061b334fd7484a1f7dc5678e3bdd4aaafc0ee
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, many of which are part of a link farm designed to improve search engine rankings for deceptive content. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and a high ML classifier score strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to 'Amazon kindle convert pdf via email' and 'wkhtmltopdf', suggesting a lure to a potentially malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9800

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=amazon+kindle+convert+pdf+via+email
    • https://zesaxigupube.weebly.com/uploads/1/3/4/0/134016892/8e366b9.pdf
    • https://zaketedojerobi.weebly.com/uploads/1/3/6/0/136023974/mubuxazuno-bidomegototosut-vojomamojuzu-gifosodiro.pdf
    • https://cdn-cms.f-static.net/uploads/4379837/normal_60551b3e11e82.pdf
    • https://damatabawapu.weebly.com/uploads/1/3/1/3/131379320/6284514.pdf
    • http://megidexabaror.mywebcommunity.org/91453477697.pdf
    • https://static.s123-cdn-static.com/uploads/4465709/normal_5fcc541020f10.pdf
    • https://zorusijumabek.weebly.com/uploads/1/3/4/8/134851431/9801114.pdf
    • https://static.s123-cdn-static.com/uploads/4476925/normal_5fdf2b571932d.pdf
    • http://fegivate.medianewsonline.com/dinamalar_aanmeega_malar_download.pdf
    • http://sasawavivar.mygamesonline.org/effects_of_tardiness_of_students.pdf
    • http://tulavesew.getenjoyment.net/descargar_biblia_de_estudio_thompson_gratis_en_espaol_apk.pdf
    • http://xozowilozoga.mywebcommunity.org/favudogis.pdf
    • http://xepelewatelaziv.getenjoyment.net/gukig.pdf
    • https://nizifaweneli.weebly.com/uploads/1/3/4/5/134589853/9791944.pdf
    • https://uploads.strikinglycdn.com/files/a5ca5445-b477-4e06-a6fc-3a6fe3a1b759/the_entertainer_movie_robert_redford.pdf
    • https://uploads.strikinglycdn.com/files/7a9a7e05-1a5d-4965-aaf9-4e2fa8196692/92873833811.pdf
    • http://rotufixijisadi.onlinewebshop.net/zijexojegozabiwusil.pdf
    • https://uploads.strikinglycdn.com/files/0fbcb04a-4689-40ab-b861-6bf549915df6/48692786927.pdf
    • https://uploads.strikinglycdn.com/files/fa0d65a7-c6b7-4689-bb71-0a344799443f/54368805275.pdf
    • https://uploads.strikinglycdn.com/files/b8aea1d9-a740-4642-80f8-3922543e3a8b/icse_class_3_english_grammar_book.pdf
    • https://uploads.strikinglycdn.com/files/36513e5f-25d4-4bc1-8beb-5a6885f5ebc1/stihl_011_avt_parts_manual.pdf
    • https://uploads.strikinglycdn.com/files/3bc6d020-05ac-46e6-862f-e7f2fceb555b/autocad_command_window_gone.pdf
    • http://sakogabutal.onlinewebshop.net/89445649845.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.