Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5b8f50228b6b390…

MALICIOUS

PDF

59.7 KB Created: 2021-03-19 21:59:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b83ac18175d5ae8f79846187178a3eb SHA-1: 3171bb0b5a140e3e1c8f8683a8103c140c1763a7 SHA-256: e5b8f50228b6b3906f8c3e236994f7c563a34338cbc39781414f7f0aa5b4e1fa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, many pointing to suspicious domains, suggesting a link farm or phishing attempt. The heuristic PDF_SEO_LINK_FARM indicates a mass of external links designed to appear as legitimate search results. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing lure or a distribution point for further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9754

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=cara+edit+pdf+di+adobe+acrobat+reader+dc
    • https://xovosoze.weebly.com/uploads/1/3/4/3/134370725/zulotadekigi_nadejudu.pdf
    • https://dilaxala.weebly.com/uploads/1/3/4/8/134865885/wokinamigokelupeje.pdf
    • https://dalupapixoriwu.weebly.com/uploads/1/3/1/4/131438121/kateperenabug_sazofunof_xinena.pdf
    • http://bogplaktnc.fun/44108970651xke3l.pdf
    • https://nabovuguxobe.weebly.com/uploads/1/3/1/8/131871891/pimemodogobep_tojigidedesu.pdf
    • https://denesibupu.weebly.com/uploads/1/3/0/7/130774977/7941808.pdf
    • http://familyit.pro/15262528205zegvk.pdf
    • http://notalebapol.iblogger.org/discuss_the_antimicrobial_susceptibility.pdf
    • http://1xbets-regs.site/51145107912t7wj6.pdf
    • http://tebepif.22web.org/95562821857.pdf
    • http://power-guard.shop/best_mythological_fiction_books_india58wj7.pdf
    • https://7ef5d8b8-74ac-4e0a-b0a0-fa61ca6462a8.filesusr.com/ugd/23e9be_6a7ec9a33162428cb2b14aa505f81dab.pdf?index=true
    • https://s3.amazonaws.com/kofabube/activities_for_the_book_david_goes_to_school.pdf
    • https://1ac5d900-0c69-4f12-8b1d-4e209472b8d2.filesusr.com/ugd/828753_d176404ee4cf4d329ddd59a80a2f9377.pdf?index=true
    • https://s3.amazonaws.com/fefurorobumi/jirijewefesedekekow.pdf
    • https://s3.amazonaws.com/vinejivunitego/49532098206.pdf
    • http://sulojigemijat.rf.gd/pezegubejazelipazisawep.pdf
    • https://s3.amazonaws.com/vezumobigodub/disadvantages_of_integrated_reporting.pdf
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_72f4b8896ab947498e1bac86fbb031d3.pdf?index=true
    • https://77cbb24c-feae-490b-854c-0a9d4db21a85.filesusr.com/ugd/3752ea_acfdfbbe8d6c4b05b4706b5731ec50e2.pdf?index=true
    • https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_0414710e553b4d6d8abd255e82df5ad9.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.