Malicious PDF — malware analysis report

Static analysis result for SHA-256 c77ad79003bad617…

MALICIOUS

PDF

58.2 KB Created: 2021-04-19 23:48:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 273879c7c3d089fd3e60dda8da255ca5 SHA-1: 62273a8479e6c7258405080d621445e84873cf7d SHA-256: c77ad79003bad617c2499b217d7f44873b945898b7ecdc9f1a9f289df829879f
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by ClamAV and ML classifiers, exhibiting characteristics of a phishing lure. It contains numerous external links, with a primary link to 'https://kuzutuzo.ru/strik?utm_term=how+to+bypass+zone+on+dsc+1616', suggesting a phishing attempt or a redirect to a malicious site. The heuristic 'PDF_IMAGE_LURE' indicates the document is image-based, designed to trick users into clicking an embedded action, which aligns with the presence of external URIs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7345

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 58 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=how+to+bypass+zone+on+dsc+1616
    • http://zawukinaloluku.sportsontheweb.net/85114681327.pdf
    • https://cdn.sqhk.co/nupozifulija/hgghgeJ/swords_and_sandals_5_redux_guide.pdf
    • http://verifedform.com/vejimiseluxatifanodh96q5.pdf
    • http://gagivukamuw.getenjoyment.net/97209701483.pdf
    • https://cdn.sqhk.co/sadirorig/45MjfJH/como_se_pronuncia_ranking.pdf
    • https://cdn.sqhk.co/sokulutesi/f2Mjfhe/74235211601.pdf
    • https://cdn.sqhk.co/tubadaluzafu/vidgjjh/slot_machine_jammer_app.pdf
    • https://cdn.sqhk.co/kugorazig/ggjeNji/snow_bros_appliance.pdf
    • http://legrand-spb.ru/95_confidence_interval_z_score_1.96w2dep.pdf
    • http://vizenam.medianewsonline.com/tigal.pdf
    • https://cdn.sqhk.co/lubigegek/dGhczhL/orange_tree_golf_club_scottsdale_reviews.pdf
    • https://cdn.sqhk.co/nurijodefa/dreDibU/29724174855.pdf
    • https://cdn.sqhk.co/rerunaropiz/hc0vVaL/oklahoma_football_game_schedule.pdf
    • https://cdn.sqhk.co/nolagutotato/cgchidq/brick_burning_control_act_2013.pdf
    • http://straponartist.com/up_vdo_form_sarkari_resultysrc9.pdf
    • https://cdn.sqhk.co/puvivefujef/zl1iaja/download_free_zero_mod_apk_android_1.pdf
    • http://parazepurafeza.medianewsonline.com/plan_de_negocios_ejemplo_restaurante.pdf
    • https://uploads.strikinglycdn.com/files/59bc5b91-07ba-40d3-94e0-9cb184c61a76/bee_hive_dimensions.pdf
    • https://uploads.strikinglycdn.com/files/7ab38c1d-472d-4e42-9d87-65e7dd0fb76a/us_motors_1081_pool_motor_start_capacitor.pdf
    • https://5fa60de5-32ab-41ac-ba65-77330e21e623.filesusr.com/ugd/2e16aa_126685fc856c473e80b65794865fe3e5.pdf?index=true
    • https://1cdd1dcb-54a5-4750-95ad-c4cce9a68cd1.filesusr.com/ugd/1e32c2_3d0cc6fae1b24ab98f1e7379ebfa3e8b.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.