PDF malware analysis — malicious · f299eb5609862b2f

MALICIOUS

PDF

49.6 KB Created: 2020-12-24 01:15:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c1fb715b26aaca617988b52d6e4f59f5 SHA-1: bfb2a601a12eaf6174086b9fc7aec9bba0afc43c SHA-256: f299eb5609862b2f4fe24f5935c0cde68c509d4941c770f5ec0fd560c375fb4a

262 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document is designed as a phishing lure, using a screenshot to entice users to click on a link. The embedded link redirects to malicious infrastructure, specifically identified as a redirector. The document also contains a large number of external links, many hosted on disposable domains, suggesting a link farm used for SEO poisoning or to distribute further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.7011

Heuristics 6

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 49 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cctraff.ru/aws?utm_term=bollywood+movies+song++2019
- https://riwisasivituw.weebly.com/uploads/1/3/1/0/131070703/manovabesedu.pdf
- https://demuxovepeb.weebly.com/uploads/1/3/4/3/134311881/sosugetovixobuse.pdf
- https://cdn-cms.f-static.net/uploads/4365602/normal_5f873ed6a3194.pdf
- https://gusumadanu.weebly.com/uploads/1/3/2/6/132695601/gavubodogelivufifo.pdf
- https://nusoselif.weebly.com/uploads/1/3/4/4/134470887/a356bee60.pdf
- https://kozikimonewuzo.weebly.com/uploads/1/3/4/5/134592445/jobiginux-radepi.pdf
- https://menusopam.weebly.com/uploads/1/3/4/5/134597334/2d05301737d7d7b.pdf
- https://cdn-cms.f-static.net/uploads/4447085/normal_5fbc5a053ee7f.pdf
- https://cdn-cms.f-static.net/uploads/4373004/normal_5f8ad380b85f9.pdf
- https://s3.amazonaws.com/mizeteb/84734793221.pdf
- https://s3.amazonaws.com/taturi/meadville_r-iv_school_district_mo.pdf
- https://uploads.strikinglycdn.com/files/61ce89be-559d-4649-88e6-32a087654ccd/west_side_ymca_tender_care.pdf
- https://uploads.strikinglycdn.com/files/268ba50a-64c6-442a-ab08-c157ba8906fc/business_driven_technology_8th_editi.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.