Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9980c0f19af38c2…

MALICIOUS

PDF

58.6 KB Created: 2021-03-06 05:17:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8ebdcbe16fedea45e0055edaa96b3ae SHA-1: c67433ebe44c23e91dc84eebe2780ddcba74fe05 SHA-256: d9980c0f19af38c256404c9ae8a42bc359d8e22fab7756e5ab894b6784503bab
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results or redirect users to malicious sites. The primary malicious URL identified is 'https://dugedepap.ru/strik?utm_term=fios+remote+not+working+after+changing+batteries', which is likely used for phishing or malware distribution. The presence of ClamAV and ML heuristic firings further supports its malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6975

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=fios+remote+not+working+after+changing+batteries
    • http://form-lnstagramverificationbadge.com/manazofogovu2hgby.pdf
    • https://cdn.sqhk.co/safubuguva/R0D7Rjf/tufutegir.pdf
    • https://cdn.sqhk.co/goxobuve/1pjhKvJ/dufufowidafix.pdf
    • https://cdn.sqhk.co/dixejetafap/jctigfQ/video_live_wallpaper_iphone_11.pdf
    • https://cdn.sqhk.co/waxipefimafa/jbjcn6J/deemo_reborn_pc.pdf
    • http://csxmoney.info/kubota_t1400_manualbvc5d.pdf
    • https://cdn.sqhk.co/sulugedako/viegDIQ/19125490333.pdf
    • https://cdn.sqhk.co/rirelolut/Kigiagj/luxelir.pdf
    • https://cdn.sqhk.co/xukerejolar/WhaTgh9/santorini_restaurant_miami_menu.pdf
    • http://zavodtriumf.com/art_models_2589ia.pdf
    • https://static.s123-cdn-static.com/uploads/4490523/normal_5fedde6232dca.pdf
    • https://static.s123-cdn-static.com/uploads/4378623/normal_6002ecb85f154.pdf
    • http://viziwojejafukak.iblogger.org/28077034653.pdf
    • https://static.s123-cdn-static.com/uploads/4386618/normal_5fe3fe7689b67.pdf
    • http://loletopuwiv.iblogger.org/detolaguxogajijoviwokibi.pdf
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_46a9f91ef7134958be4971686a9f1778.pdf?index=true
    • https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_80e144f59a824a0497ec437cb10b85f9.pdf?index=true
    • https://e0a971b2-7104-4718-9e5f-4f17d768618f.filesusr.com/ugd/6d43b6_2e224691251e4fcabd2d6ee0bb65a06a.pdf?index=true
    • http://babematalal.epizy.com/29636424500.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.