Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1c4f0e2d4dc053a…

MALICIOUS

PDF

70.5 KB Created: 2021-06-04 21:01:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 08f0cd421317797111eb79ab48514226 SHA-1: 9bb0d3822b20c4a3c1abb49d2e881ea72eb8713c SHA-256: d1c4f0e2d4dc053affb0ef33d0c2032d22bc92aa987ac9e720679217e3ddc07f
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many pointing to disposable hosting services like Weebly. The 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics indicate this is a link farm designed to manipulate search engine results or redirect users to potentially malicious content. The ML classifier and ClamAV detection further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7249

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=central+place+theory+ap+human+geography+definition PDF link annotation
    • https://nafusifino.weebly.com/uploads/1/3/4/6/134615437/vejud.pdfIn PDF document text
    • https://jokatilowiwege.weebly.com/uploads/1/3/4/3/134369617/249131.pdfIn PDF document text
    • https://jetukuzimol.weebly.com/uploads/1/3/2/6/132695660/xemokevuwaben_ketulebu_fodomugugodewak.pdfIn PDF document text
    • https://tapukinag.weebly.com/uploads/1/3/1/6/131606864/sawatipit.pdfIn PDF document text
    • https://tofuxatedev.weebly.com/uploads/1/3/4/7/134706151/foxitolofetatij.pdfIn PDF document text
    • https://fumozowafujazuv.weebly.com/uploads/1/3/5/3/135331302/3573a.pdfIn PDF document text
    • https://tarokomilidifuz.weebly.com/uploads/1/3/1/6/131636676/balireginaliwamubadu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/378da406-124c-420c-9c4d-7345f7080773/ubiquiti_rocket_m2_default_ip_address.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9d71f88-e62f-4943-8f28-6f1fee0755e9/45636800999.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27881d53-1476-4481-8bc8-9f555a041b43/how_to_fix_serger_tension.pdfIn PDF document text
    • http://fuxedemama.pbworks.com/w/file/fetch/144516513/did_lamborghini_work_for_ferrari.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03659ade-1976-40d8-af57-0685c1619fd3/22017198883.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08eb6638-8c16-46c4-b050-e81e2cc796f5/hampton_bay_ceiling_fan_replacement_light_switch.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39ba12b6-ecf7-4385-a6c9-f2ecb04b5c8a/king_letter_from_birmingham_jail_sparknotes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/989d0fc9-42f8-4955-a38a-f948b609208e/fifenavivodafidarelegag.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08d15d81-d537-401a-8a9d-b03fda182202/pagoxukobavorarudepu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f41d5317-bf20-4814-a751-f9b579264187/68370433234.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12046f12-d5b5-4b5e-a4e0-51fe3842a625/nojefovozorikisi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5dffa99-7f34-49f2-9374-3598d5c2c538/acer_v5-132_operating_system_not_found.pdfIn PDF document text
    • http://lagawiwefe.pbworks.com/w/file/fetch/144518154/krrish_2_movie_song_download_pagalworld_320kbps.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66e80608-a66e-46e2-9289-17805d4a9ff6/35724153142.pdfIn PDF document text