Malicious PDF — malware analysis report

Static analysis result for SHA-256 f498cf3c67aa3a6c…

MALICIOUS

PDF

40.8 KB Created: 2021-03-04 15:24:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: e5bf481f085ef48bbf52de104f8edf30 SHA-1: b3b0a42e3d6c3f65baffbbb0a5e5636461a1967f SHA-256: f498cf3c67aa3a6c75ac2914833f938218e44f33426b72afa8f49370a44b1d4e
202 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a malicious redirector link pointing to 'https://yafferge.ru/award?keyword=how+to+clean+voldyne+5000', which is flagged as malicious infrastructure. The document structure and heuristics indicate it's an image-based lure designed to trick users into clicking the link, likely leading to a phishing or credential harvesting site. No scripts were extracted, but the PDF's nature suggests it exploits a vulnerability or uses JavaScript for redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7590

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 40 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=how+to+clean+voldyne+5000 In PDF document text
    • http://palikexifumalam.mywebcommunity.org/lekijajobufanegu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4375514/normal_5ffc793da055f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462974/normal_600b1d30f01b4.pdfIn PDF document text
    • http://bekopomulasebi.getenjoyment.net/xawef.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446494/normal_5fc7c6e1c2e3c.pdfIn PDF document text
    • http://magexaxajatadog.getenjoyment.net/93142479014.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423471/normal_5fcab564aa9ac.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384655/normal_6027f93585990.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4449779/normal_5fe79ec63e44d.pdfIn PDF document text
    • http://wudebakafepi.mypressonline.com/huffy_bike_walmart_16_inch.pdfIn PDF document text
    • http://zabovawupe.mypressonline.com/pesavosi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408343/normal_5ff7566051474.pdfIn PDF document text
    • https://44034db3-6cdd-4729-adf3-7ccd6afcf354.filesusr.com/ugd/9fe9cc_cd4e7830fc1e4cf98a94f0c7e069f6e8.pdf?index=trueIn PDF document text
    • https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_e4fb2b6d837644b7821a386077b1657a.pdf?index=trueIn PDF document text
    • http://pigutun.myartsonline.com/kenmore_gas_stove_parts_manual.pdfIn PDF document text
    • https://006b50d4-ad2a-4261-8279-34542eb0d7b0.filesusr.com/ugd/a640e9_627422b9b90640ab8d89f900e5d078c6.pdf?index=trueIn PDF document text
    • http://pivimufe.atwebpages.com/cost_structure_fashion_industry.pdfIn PDF document text
    • https://e6676b24-921d-4f57-8fca-beda98688f3c.filesusr.com/ugd/144d27_1bbb13a1eda84bf19c5ab84553d922e3.pdf?index=trueIn PDF document text
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_b89bf2899f184582955d54635403425b.pdf?index=trueIn PDF document text
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_2fdea2b0312343609eab366937a50bc6.pdf?index=trueIn PDF document text
    • https://8b5ac0f3-2bc4-49a6-9a99-2541af31b215.filesusr.com/ugd/f2ef67_12fe9eaf94b64d85aae588f9ec59c3f0.pdf?index=trueIn PDF document text
    • http://naburonip.myartsonline.com/voice_warm_up.pdfIn PDF document text
    • http://sasukagisodubex.onlinewebshop.net/53145530910.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.