Malicious PDF — malware analysis report

Static analysis result for SHA-256 debf38662e1d80a1…

MALICIOUS

PDF

38.1 KB Created: 2021-03-19 05:10:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08d26aa56134f17781c8d38438a7e739 SHA-1: 6a2bd03fe969c4fe4c380fc64d120acf8afffce2 SHA-256: debf38662e1d80a1935462a1c1e5cb5b5b490c9fc8241ee392242d40b6b3e3d5
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, a common tactic for phishing or malware distribution. It contains multiple external URLs, with at least one pointing to a suspicious domain (jottigo.ru) that is likely part of a redirection chain. The ClamAV detection and ML classifier further support its malicious nature, indicating it's a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6767

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 38 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/aws?utm_term=1999+polaris+xplorer+400+carb+adjustment
    • http://lurubalopare.sportsontheweb.net/nuxemojadopamorototu.pdf
    • http://tixesikixux.mygamesonline.org/mopusudijo.pdf
    • https://cdn.sqhk.co/busanurutar/cogcbwn/88224662041.pdf
    • http://converstarget.ru/payaliya_bajni_lado_piya_song_audioqcmbo.pdf
    • http://espacecmb.xyz/foregafosajosajurxvhmb.pdf
    • https://cdn.sqhk.co/tipusuzog/Ygcihih/joluroxazuzexinuluke.pdf
    • https://uploads.strikinglycdn.com/files/b70a79f1-a42b-455b-a781-66e460426c65/how_to_replace_a_stove_knob.pdf
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_55a3574869924318b0047b5fd384114a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a74efad-cf5b-4d0e-9c81-da9517b0d86b/18574496365.pdf
    • https://uploads.strikinglycdn.com/files/4f7594a9-4911-4cb3-9c78-c76aa2fa9bf6/how_do_i_find_kelley_blue_book_value.pdf
    • http://ritumogadoj.onlinewebshop.net/45659036610.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.