Malicious PDF — malware analysis report

Static analysis result for SHA-256 c89465fb32d209c8…

MALICIOUS

PDF

67.6 KB Created: 2021-01-11 11:17:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb6c3ee6648483324f7b0b1052235ba6 SHA-1: 41e5c9ea8d4767c58583800f2ff963c18fd31f7f SHA-256: c89465fb32d209c85673058505cec30a467220fb8c58bbd8d41040a766b612c4
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a machine learning classifier and ClamAV, indicating malicious intent. It contains numerous external URIs, with one notable URL (`https://trafffi.ru/aws?utm_term=bootstrap+4+react+admin+template`) being part of a link farm on disposable hosting, suggesting a phishing or malware distribution scheme. No scripts were extracted, but the PDF structure and embedded links point towards a spearphishing attachment attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8907

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=bootstrap+4+react+admin+template
    • https://wesotapaxo.weebly.com/uploads/1/3/4/4/134488604/4af7bb.pdf
    • https://site-1178403.mozfiles.com/files/1178403/xokesa.pdf
    • https://famudixapakowep.weebly.com/uploads/1/3/4/8/134855218/7578515.pdf
    • https://site-1177005.mozfiles.com/files/1177005/solofikaj.pdf
    • https://site-1168358.mozfiles.com/files/1168358/36007224895.pdf
    • https://site-1187532.mozfiles.com/files/1187532/pozemakuserafakasipo.pdf
    • https://cdn.sqhk.co/zoxemetakol/jdmhhjj/filaxizijijigojat.pdf
    • https://cdn.sqhk.co/wevafofed/6YJ2p3V/the_soul_collector_2020_release_date.pdf
    • https://cdn.sqhk.co/nalujujoso/hwifV5F/mujiwofi.pdf
    • https://site-1166064.mozfiles.com/files/1166064/math_worksheets_for_1st_grade_money.pdf
    • https://s3.amazonaws.com/pesetufavo/ppt_presentation_templates_medical.pdf
    • https://s3.amazonaws.com/gopuze/aadhaar_in.pdf
    • https://s3.amazonaws.com/gifiz/gyprock_sheet_thickness.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.