Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5dabd97008bd0be…

MALICIOUS

PDF

63.9 KB Created: 2021-06-02 11:31:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc4f5079622b9204f0a4bc491f1b6c83 SHA-1: c297b02492fb311ba254affc80678a157573f96b SHA-256: f5dabd97008bd0be8f040bb84fb2361c3e085f094a49ca45a1a0a8590aec3f04
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and is flagged by multiple heuristics as malicious, including a high ML score and ClamAV detection. The document body, though corrupted, suggests a lure related to accident reports, directing users to a suspicious URL. The presence of numerous external links and disposable hosting indicates a link farm designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9614

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=how+do+i+look+up+an+accident+report+in+north+carolina
    • https://static.s123-cdn-static.com/uploads/4408184/normal_5ff6b25fb0149.pdf
    • https://cdn-cms.f-static.net/uploads/4447626/normal_5fd6fcab87562.pdf
    • https://cdn-cms.f-static.net/uploads/4475853/normal_600b077b84be8.pdf
    • https://fakavenudir.weebly.com/uploads/1/3/4/0/134042443/rumakifatodov.pdf
    • https://static.s123-cdn-static.com/uploads/4488323/normal_5fcb5a9726973.pdf
    • https://pusigodumutujor.weebly.com/uploads/1/3/4/6/134610993/puxowuvifivena.pdf
    • https://bizexolarosazar.weebly.com/uploads/1/3/4/8/134882522/tabulipavoposibutol.pdf
    • https://static.s123-cdn-static.com/uploads/4413583/normal_5fc73335cee2c.pdf
    • https://bojumojomugo.weebly.com/uploads/1/3/4/8/134850871/waxefutoduxew.pdf
    • https://cdn-cms.f-static.net/uploads/4374517/normal_6040ed934b9f2.pdf
    • https://revasarubon.weebly.com/uploads/1/3/5/2/135295272/d2c2747a34a3.pdf
    • https://sorimuzumetig.weebly.com/uploads/1/3/4/5/134519591/rubametelaf-xazopune.pdf
    • https://uploads.strikinglycdn.com/files/10f2cc7f-e78b-4428-ae93-7434e47a5f63/38304641570.pdf
    • http://wurutaw.pbworks.com/w/file/fetch/144493374/examples_of_internal_conflict_in_lord_of_the_flies.pdf
    • https://uploads.strikinglycdn.com/files/3c8d9f5a-dcfe-4ab4-b001-049b3a85f66b/ccnp_route_exam_fee_in_india.pdf
    • http://ziriwuru.pbworks.com/w/file/fetch/144498207/what_is_an_i_9_employment_eligibility_verification_form.pdf
    • http://gazumadu.pbworks.com/f/expository_writing_for_grade_6.pdf
    • https://uploads.strikinglycdn.com/files/68c77cd2-0d09-4532-ba49-5f7ce626bb2c/anachid_islamia_mp3_free_download.pdf
    • https://uploads.strikinglycdn.com/files/bbce09fb-0b5d-452f-a04b-557843557885/63986005426.pdf
    • http://negovijalulu.pbworks.com/w/file/fetch/144414987/ace_combat_7_trigger_x_rosa_fanfiction.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.