Malicious PDF — malware analysis report

Static analysis result for SHA-256 e82757aed1ed56e2…

MALICIOUS

PDF

73.9 KB Created: 2021-06-05 23:56:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11b1172215ffdeeca9be420067a671b4 SHA-1: bc48a7279e0aba83c510742d8e511491c4008a59 SHA-256: e82757aed1ed56e235794a421871191ff88c3101e2bd0ef2ca5370398619bc11
98 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • ClamAV scan did not complete info CLAMAV_SCAN_INCOMPLETE
    ClamAV scan on this file did not complete (ClamAV error (exit 2)); the verdict reflects only static heuristics. The result is not cached so a later submission will retry the scan.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/pbw?utm_term=unidad+4+leccion+1+reteaching+and+practice
    • https://static.s123-cdn-static.com/uploads/4367960/normal_5fe570443b182.pdf
    • https://wipasokewuwil.weebly.com/uploads/1/3/4/0/134000036/7269725.pdf
    • https://kejedavozeve.weebly.com/uploads/1/3/1/4/131483662/8942129.pdf
    • https://nomukumimakolu.weebly.com/uploads/1/3/4/6/134649360/8da9e.pdf
    • https://ridimejaxokixis.weebly.com/uploads/1/3/5/3/135340331/xikasidifuxonav.pdf
    • https://cdn-cms.f-static.net/uploads/4493597/normal_5fd88bc31b017.pdf
    • https://dotiduku.weebly.com/uploads/1/3/4/2/134234749/6555642.pdf
    • https://static.s123-cdn-static.com/uploads/4413002/normal_6008504cbdcd6.pdf
    • https://nonovobuzodeku.weebly.com/uploads/1/3/5/3/135348203/549c3d.pdf
    • https://uploads.strikinglycdn.com/files/9b073c35-9d51-4f39-b249-a1317bf07ca2/mixupisubelomo.pdf
    • https://uploads.strikinglycdn.com/files/35665238-31b3-415c-adb3-b41efcb0e961/dm_screen_height.pdf
    • https://uploads.strikinglycdn.com/files/e19a1631-c14e-4373-9a1c-da12d2467ff9/can_i_see_who_viewed_my_saved_instagram_stories.pdf
    • https://uploads.strikinglycdn.com/files/53d83d4c-92d2-4523-99d3-569faf44238e/how_to_spot_drug_traffickers.pdf
    • https://uploads.strikinglycdn.com/files/ad2ffc31-a4d2-4e36-8fa0-0b069d5aad95/how_many_chapters_in_the_knife_of_never_letting_go.pdf
    • https://uploads.strikinglycdn.com/files/a481397f-ecb4-41a0-8b5c-2a92d3b17e4d/star_trek_the_next_generation_legacy_imdb.pdf
    • https://uploads.strikinglycdn.com/files/05daa62e-2589-4462-a06c-e7c50e6d2251/22832793971.pdf
    • https://uploads.strikinglycdn.com/files/772ab034-2f02-4d70-bbd0-bfc72c6ffe6c/39864517139.pdf
    • https://uploads.strikinglycdn.com/files/945a1c40-4edc-4b6c-bb84-83d6ed77a427/r_programming_language_download_linux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Open this report in the interactive analyzer, or submit your own file for analysis.