Malicious PDF — malware analysis report

Static analysis result for SHA-256 d80ff245c51067d4…

MALICIOUS

PDF

46.1 KB Created: 2021-03-14 00:00:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 67564d60f414530abe2b21f679aed285 SHA-1: 25fcb0f9b047542cbcdc3f93cdebd2a30c1e052e SHA-256: d80ff245c51067d4041937a9a65058086ed73b48505de6afb4c7efc3e25c1de6
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as malicious by ClamAV and an ML classifier, and heuristics indicate it's an image-only lure with a click-outward action. The embedded URL `https://gimoguvi.ru/award?keyword=attacking+anxiety+and+depression+workbook+pdf` is the primary indicator of a phishing or malware distribution attempt. No scripts were extracted, but the PDF structure suggests it's designed to trick the user into navigating to the external link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8552

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 46 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=attacking+anxiety+and+depression+workbook+pdf
    • http://belkwigs.com/how_to_put_bose_speaker_into_pairing_modez8lau.pdf
    • https://cdn.sqhk.co/fusuzogik/dididQe/3d_car_body_design_software_free.pdf
    • https://kusavavatixe.weebly.com/uploads/1/3/4/8/134878613/5aa1beda876ac.pdf
    • https://kunexiravirub.weebly.com/uploads/1/3/5/3/135344507/koterar.pdf
    • http://topdouche.xyz/laputobimeduk160y.pdf
    • https://cdn.sqhk.co/baziwuwe/rjihbJl/vaxerepufadi.pdf
    • http://dedokomaweza.22web.org/resident_evil_retribution_movie_in_tamil.pdf
    • http://businessoutsourcing.org/70502140407inynz.pdf
    • https://cdn.sqhk.co/remudejifi/iKxZiiD/xamaxis.pdf
    • https://zuwojutiraz.weebly.com/uploads/1/3/4/7/134729165/rozulef_gavivebad.pdf
    • https://05f6fcc2-a4c7-4d5b-b58c-97b640a93f4d.filesusr.com/ugd/74147a_536fdb1cb44f439985056280aa1b8af2.pdf?index=true
    • https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_bfb46e34a8b94a1aa9e82efe836e0dd6.pdf?index=true
    • https://4be8a7ba-6c9a-47a4-99fc-a5961b41a404.filesusr.com/ugd/132250_d9739601abf5499c830c788bc843029f.pdf?index=true
    • http://wikatamuk.rf.gd/baby_emoji_pictionary_game_answers.pdf
    • http://dipimov.epizy.com/what_does_reference_code_s0a00.pdf
    • http://zonadomafi.rf.gd/vupepov.pdf
    • https://37e0f79d-b0c1-4727-b76d-5b759c81288f.filesusr.com/ugd/9c66ff_f044b25e9ad9496b940b4d14ae198726.pdf?index=true
    • https://6c8027e1-9878-41b3-a9ef-32ba2b6bcd02.filesusr.com/ugd/185811_74c5d2da57404757a4fd219a8adf6aba.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.