Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8d2abcbe9cf4c4f…

MALICIOUS

PDF

58.6 KB Created: 2021-02-25 10:46:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b51560851d4e844c25cb7bd9cd03f68d SHA-1: 25873d553208cc563e882898831446d169a0d1e9 SHA-256: c8d2abcbe9cf4c4fd91fdfa2833bf4f88ab27bb709edabaaec710aec2359f101
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains embedded URLs and is flagged by heuristics as a link farm and a potential phishing/malware distribution vector. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though truncated and containing non-readable characters, suggests a lure related to a movie title, which is then linked to a URL on a disposable domain, likely to redirect to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8917

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/aws?utm_term=the+painted+bird+full+movie+watch+online
    • https://cdn-cms.f-static.net/uploads/4376606/normal_6018b9fd3a087.pdf
    • https://fofifiso.weebly.com/uploads/1/3/4/6/134613093/285717.pdf
    • https://pizovepe.weebly.com/uploads/1/3/5/3/135323062/2313179.pdf
    • http://lebizifijafaxim.medianewsonline.com/burger_king_breakfast_meal_calories.pdf
    • https://cdn-cms.f-static.net/uploads/4368741/normal_601be19a3e5e9.pdf
    • https://static.s123-cdn-static.com/uploads/4451737/normal_6005d6550f6bc.pdf
    • https://static.s123-cdn-static.com/uploads/4485946/normal_5fdffae451d0a.pdf
    • https://rexerobebaru.weebly.com/uploads/1/3/1/8/131872155/e13ab8.pdf
    • https://static.s123-cdn-static.com/uploads/4450247/normal_5fe1015dd8c51.pdf
    • http://topukovatawosu.sportsontheweb.net/kusegumozedezotume.pdf
    • https://cdn-cms.f-static.net/uploads/4481836/normal_601762672674c.pdf
    • http://numulul.mygamesonline.org/training_the_best_dog_ever.pdf
    • http://veruvipavopa.getenjoyment.net/what_we_talk_about_when_we_talk_about_love_espaol.pdf
    • https://detabusikiz.weebly.com/uploads/1/3/6/0/136022277/vesasuzinumapa.pdf
    • http://jalazekesofijot.medianewsonline.com/5891757681.pdf
    • http://xuvaxujogilo.mygamesonline.org/wusimedili.pdf
    • http://wonanikapudidak.atwebpages.com/tarerutunotukeriwivo.pdf
    • http://sogivuwe.onlinewebshop.net/roxabexedul.pdf
    • http://lobopekogolo.onlinewebshop.net/relion_blood_pressure_monitor_bp200w_manual.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.