Malicious PDF — malware analysis report

Static analysis result for SHA-256 f867a37d06597c93…

MALICIOUS

PDF

76.3 KB Created: 2021-03-26 07:43:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6829f2731f4992c447362f24a982d64 SHA-1: dd9b56d9d741c0672d7aa935763fd6889619fefd SHA-256: f867a37d06597c933d2f686a9d66f7ceba5690b2015509d6b9ac553cdfde8961
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with at least one pointing to known malicious redirector infrastructure (https://yafferge.ru/award?keyword=business+correspondence+in+english+pdf). The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'business correspondence'. No scripts were extracted, but the PDF structure itself facilitates redirection to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9717

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=business+correspondence+in+english+pdf
    • https://siximegam.weebly.com/uploads/1/3/1/4/131453251/xuvexulimanozibuv.pdf
    • http://goxivomibivufuv.mywebcommunity.org/bepopizikodokisazilili.pdf
    • http://the-glow.ru/everstart_750_amp_jump_starter_manualyav2k.pdf
    • http://torchland.xyz/2017_vw_tiguan_maintenance_schedule_uk2hdj2.pdf
    • https://xanodupujariris.weebly.com/uploads/1/3/0/9/130969381/e315fe2f78.pdf
    • https://cdn.sqhk.co/vakusukereju/ibhjihj/service_company_income_statement_expenses.pdf
    • https://rofewure.weebly.com/uploads/1/3/3/9/133999154/divimozokaraf.pdf
    • https://bupedokan.weebly.com/uploads/1/3/1/6/131607930/1350813.pdf
    • https://cdn.sqhk.co/tebefaravuz/wcChagg/69093737622.pdf
    • https://cdn-cms.f-static.net/uploads/4405179/normal_603ac705e5b4f.pdf
    • http://wide-do.top/canon_rebel_xt_review3fv58.pdf
    • https://cdn-cms.f-static.net/uploads/4490725/normal_601c90832565a.pdf
    • https://static.s123-cdn-static.com/uploads/4370987/normal_5fe1607a1c081.pdf
    • https://cdn-cms.f-static.net/uploads/4403820/normal_6023b955adca8.pdf
    • http://medway24.com/falutowafebatiduxujub0h2zc.pdf
    • http://woranuganavot.myartsonline.com/china_s_1979_war_with_vietnam_a_reassessment.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.