Malicious PDF — malware analysis report

Static analysis result for SHA-256 c72af6447b195c8f…

MALICIOUS

PDF

67.6 KB Created: 2021-03-05 18:00:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 4f4b5a88e9437c5aaa5970e88be2735a SHA-1: cfc24c787e5209329370b6277ac17f578107ffb8 SHA-256: c72af6447b195c8f01a0fb4db65944fccf9588e8c0271dc8a617507a8864ebed
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4770

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/aws?utm_term=how+to+change+my+lg+water+filter PDF link annotation
    • https://cdn.sqhk.co/joxipadij/ggBhahf/76376726896.pdfIn PDF document text
    • https://cdn.sqhk.co/dusaradezat/UBhdhiQ/blue_light_glasses_mentality.pdfIn PDF document text
    • https://cdn.sqhk.co/rabataxuvax/kswjaij/food_giant_hueytown_phone_number.pdfIn PDF document text
    • https://cdn.sqhk.co/dodamewope/haHiiUI/gowepebesutopuk.pdfIn PDF document text
    • https://bitojobuf.weebly.com/uploads/1/3/4/8/134892495/044148.pdfIn PDF document text
    • https://cdn.sqhk.co/gobuwovuv/3gdPhf5/calculator_app_free_download_for_android_mobile.pdfIn PDF document text
    • https://rogidalot.weebly.com/uploads/1/3/1/6/131636841/defimud_xibebala_jojazidup_kuvalojufin.pdfIn PDF document text
    • https://gakewejodum.weebly.com/uploads/1/3/4/9/134902465/rejapegusa.pdfIn PDF document text
    • https://velazidolis.weebly.com/uploads/1/3/0/9/130969689/bokiwedekozejuso.pdfIn PDF document text
    • https://gukenefekofuga.weebly.com/uploads/1/3/4/5/134588358/likaduninufegixa.pdfIn PDF document text
    • https://s3.amazonaws.com/gazijewevan/crafty_chess_engine_for_android.pdfIn PDF document text
    • https://5663e088-3595-439c-971a-5873693bee35.filesusr.com/ugd/e98895_06705f856d50465b9301bb35b49f9c19.pdf?index=trueIn PDF document text
    • https://85ed388a-52e0-4e79-9737-9d4b769dda71.filesusr.com/ugd/bb10c5_891330bec4854f3ab3af620cc96f401e.pdf?index=trueIn PDF document text
    • https://b03e51a8-7171-48c0-94d6-e4c032e6f37f.filesusr.com/ugd/9421c8_b5169080c63a411e9cd3f2c454d307ec.pdf?index=trueIn PDF document text
    • https://ddb1515c-011f-4d6c-9a6c-b305a2039a85.filesusr.com/ugd/477ac5_5f1efcb95b5a49efa9691ab3cceb4a90.pdf?index=trueIn PDF document text
    • https://ce099f17-eb12-430b-a452-8d789b3ee5a8.filesusr.com/ugd/aef5b7_172221e2fdf84b1e8cb33771e1652df4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jebupofedijakuk/new_bollywood_songs_mr_jatt_2019.pdfIn PDF document text
    • https://c2c662fa-00ac-4c69-bf5d-04da7d6c99e2.filesusr.com/ugd/9b33c5_549ba4f75d3b44f788f67aef98afb3c4.pdf?index=trueIn PDF document text
    • https://9d76d0c6-5807-43ac-a2ba-7b4112d1a20a.filesusr.com/ugd/5cd33b_eb53df56bf1048938c02aa9b5e730488.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nefunupu/meduvasexoj.pdfIn PDF document text
    • https://s3.amazonaws.com/purawuma/9569446492.pdfIn PDF document text
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_a3cbcacaba8c46d0857d4a0573b3e33c.pdf?index=trueIn PDF document text
    • https://3ff4c494-4984-418a-b709-7a5c611cca0a.filesusr.com/ugd/adbee0_060cfc386fc44ccd867cb9dcff8ba3b0.pdf?index=trueIn PDF document text