Malicious PDF — malware analysis report

Static analysis result for SHA-256 d18568391fd9754b…

MALICIOUS

PDF

52.6 KB Created: 2021-03-22 09:51:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 499556c313161ae0389d848ec6382b18 SHA-1: 32cf0d83857d9492da197eedcb87025a4283deff SHA-256: d18568391fd9754b779e5c9c0e2f04a599e35f9a2bb94be91f5501ad7760309c
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7480

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/aws?utm_term=ubiquiti+rocket+m2+access+point+configuration PDF link annotation
    • https://cdn.sqhk.co/wafavalufa/gRVgfRm/berezavegukudetubevimat.pdfIn PDF document text
    • http://draiwenstore.online/starbucks_barista_salary_nyc_20199xbw0.pdfIn PDF document text
    • http://obmenkalnr.online/bosidopoboxogurnmd58.pdfIn PDF document text
    • https://cdn.sqhk.co/vebapejun/igjsihs/video_game_release_date_warcraft.pdfIn PDF document text
    • http://servicesforsupport.com/gilukavamori4b7gi.pdfIn PDF document text
    • http://plsale.pro/que_es_materia_en_quimicargfdq.pdfIn PDF document text
    • http://kyukty68.xyz/98685305154vhwrz.pdfIn PDF document text
    • https://cdn.sqhk.co/vujagefamig/f3jgAic/epic_books_teacher_login.pdfIn PDF document text
    • http://sayfelengs.space/77193215344bvkdg.pdfIn PDF document text
    • http://blog-millionaire.buzz/ali_g_indahouse_movie_720pr6nhg.pdfIn PDF document text
    • https://cdn.sqhk.co/kigaratak/z4ja1hg/37442299633.pdfIn PDF document text
    • https://cdn.sqhk.co/toxodimina/fnjiJQb/godujipu.pdfIn PDF document text
    • http://it50discount.pro/tascam_dr-05_audio_recordererkvi.pdfIn PDF document text
    • http://megatorg.ru/hypertension_guidelines_2019_algorithme7x08.pdfIn PDF document text
    • http://procripton.com/que_significa_cuando_se_rompe_un_anillo_de_plata851iv.pdfIn PDF document text
    • http://bumadodari.iblogger.org/jisavawepagekuwegafekaz.pdfIn PDF document text
    • https://s3.amazonaws.com/fifomi/gezijo.pdfIn PDF document text
    • http://jimibidubarabus.epizy.com/economizer_design_guide.pdfIn PDF document text
    • http://lowazuxakosilal.epizy.com/lifusegik.pdfIn PDF document text
    • https://s3.amazonaws.com/ximupuv/pazaviz.pdfIn PDF document text
    • http://jiwimid.epizy.com/what_is_the_new_software_update_for_tesla_model_3.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.