Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4be99b34a8149cd…

MALICIOUS

PDF

50.3 KB Created: 2021-03-29 21:30:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 56b7f1cbed98b84ead93d6f5a6ab084b SHA-1: c615015d0db5f6dc1bf606dfe1802916782c0567 SHA-256: d4be99b34a8149cdd8a2cefd38a1988e8e5a3477b0036f203db5fc617a35b5f7
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, typical of phishing campaigns, containing a clickable link to 'jottigo.ru'. The presence of numerous external links, including a link farm, suggests a malicious intent to redirect users to potentially harmful content or facilitate further exploitation. While no scripts were explicitly extracted, the PDF structure and heuristic firings strongly indicate a malicious document designed to deceive users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9328

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 50 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=site+reliability+engineering+pdf+portugues
    • https://xusalifur.weebly.com/uploads/1/3/4/1/134131705/jaguwefi_jetolinu_gigisejefovug_dexowobodip.pdf
    • https://sapilijufidukuw.weebly.com/uploads/1/3/4/9/134901451/mejabufeteleg.pdf
    • https://cdn.sqhk.co/vatukaso/5yiehiO/16529602796.pdf
    • https://static.s123-cdn-static.com/uploads/4422909/normal_5fcd02ef6c07c.pdf
    • https://cdn-cms.f-static.net/uploads/4459028/normal_5fe6fdb8e9ba0.pdf
    • https://cdn-cms.f-static.net/uploads/4500692/normal_5fd148631e141.pdf
    • https://betubuko.weebly.com/uploads/1/3/1/3/131379781/8481882.pdf
    • https://cdn.sqhk.co/sunomedude/rjcS2fy/mountain_sniper_3d_shooter_apk_mod.pdf
    • http://lakuvekavepoka.iblogger.org/78738664020.pdf
    • https://cdn-cms.f-static.net/uploads/4482418/normal_6050c7a97460a.pdf
    • https://cdn-cms.f-static.net/uploads/4425506/normal_602955a5970a3.pdf
    • https://91953a53-6f32-4f2a-9b2e-0f954541ff31.filesusr.com/ugd/dad90e_242cab2a1f8345088767d7af524df9f9.pdf?index=true
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_683be0562396423ebd66170f7276c4f7.pdf?index=true
    • https://6323cc82-cf72-43ae-bc7a-f8d691a1d37e.filesusr.com/ugd/4f3578_29e84cdaf8954e20bdd48f4f3092e61b.pdf?index=true
    • https://48bf584d-d56c-45cf-b4f3-c1c05dce5274.filesusr.com/ugd/3f4b99_ddfc1d22ace7454da53a3f8fe3464b0a.pdf?index=true
    • https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_4aaa56f641404cf7bf1d99ec9e022422.pdf?index=true
    • http://tawaxinazaka.rf.gd/how_do_i_reset_my_nordictrack_console.pdf
    • https://6c639bf1-704a-4500-b661-329758898742.filesusr.com/ugd/02d620_0097c62c57594091b829762ace80c458.pdf?index=true
    • https://50fe66f1-00be-429c-ab6c-57a9f80d6ab9.filesusr.com/ugd/39cb9d_9613b862ff8944a5828e177f63f55583.pdf?index=true
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_15537f00fe914bf8b9a951450a0dcee0.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.