Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbf8d813290bcaee…

MALICIOUS

PDF

49.0 KB Created: 2021-03-05 04:19:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: b1033182311e61c5d9ab3f1221dfeeb6 SHA-1: a845ef9231f3ebcc39e420ceeefe2df207895b5b SHA-256: fbf8d813290bcaee3b5365f0689b1fb2e1875e0635a7e588c2ff6d64d1bedc3b
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, appears to be a lure related to 'florida medicaid dental cover for adults'. The presence of PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM heuristics, along with ClamAV's detection of Pdf.Phishing.Trojan, strongly indicates a malicious intent to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7086

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=what+does+florida+medicaid+dental+cover+for+adults PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4451971/normal_5fff6f51cf8f1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4407795/normal_5ff1d1cf8e07a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4415534/normal_5ff419905cb4f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501980/normal_603d2f6e2f924.pdfIn PDF document text
    • https://ae26bae5-b1f3-4fb2-a0ba-5d2f2d23988c.filesusr.com/ugd/aec2ea_9c2ed92dee1c492388a8e52ffa39df92.pdf?index=trueIn PDF document text
    • https://23751d96-d7b3-42ca-b8ca-e459b671ea95.filesusr.com/ugd/7de994_1b7db148dda44fcd8c38c746f0f42f84.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/05855d01-09ee-4e10-aa57-2fe5ab17be7c/que_es_exponente_en_matematicas_definicion.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/856acb7e-382c-4605-9793-54de9ee4c72c/how_to_simplify_3_way_ratios.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/383d3fc7-f553-4631-8e5f-485c5c8e862a/sivoxesiwuzifenim.pdfIn PDF document text
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_319f9e61260f4de2ac2685ea858e9a50.pdf?index=trueIn PDF document text
    • https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_17b2cc669bc041e2bcb64ae80dd5dc97.pdf?index=trueIn PDF document text
    • https://625f08e2-3d8e-45b5-8e8c-b95d001c5c7c.filesusr.com/ugd/d94ae5_b5f8d12a228646bf89b518d07dc4c868.pdf?index=trueIn PDF document text
    • https://492f55f4-3442-4b37-b17e-39d9f2f0ae8a.filesusr.com/ugd/7dfe85_efef11be70044222ab2d3684e974871e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3cc6024-19d2-4add-a6cd-6d7909e73e19/12061978690.pdfIn PDF document text
    • https://a9864912-ad24-422b-99f3-2d90f7703507.filesusr.com/ugd/d6af85_8e1459d935904c37bb33ddb68821c599.pdf?index=trueIn PDF document text
    • https://3c86e5df-9a55-47dd-9d5b-c207b25ec6cd.filesusr.com/ugd/72bf36_c1e611466b9a4fb29d7c174ba3eb77ff.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b761d85b-348c-4f2e-882b-9feed6eb4771/can_periodontal_pockets_be_reduced.pdfIn PDF document text
    • https://97d49ff2-d914-4ae4-8ac8-5e5cf5f77cad.filesusr.com/ugd/6350c7_10cd3daed1b24521a01881f8241be66a.pdf?index=trueIn PDF document text
    • https://af431a04-9ebc-4ea4-a98d-45e4ffbfad14.filesusr.com/ugd/485053_e5997d3e3e5b44c887a65b628d3bb365.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/13e95c20-a822-42e3-aaca-56dbf0fb4711/what_are_the_main_roles_in_scrum.pdfIn PDF document text
    • https://72cdfa97-b5fe-44cc-9aa9-3142b5aa642a.filesusr.com/ugd/ee32c9_104e1d887ea7425da8855a9a83d8245d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa5578e9-4c39-41ae-961f-035f51173337/tepuxejapi.pdfIn PDF document text
    • https://29474179-7c7c-44ae-84e0-3c37792f2e25.filesusr.com/ugd/7f817d_e4accde4a7cf4731a0980a983733919a.pdf?index=trueIn PDF document text
    • https://77da94c0-0f0a-445b-87af-e489a0b5ef66.filesusr.com/ugd/db1da1_6035f9bafbff44b08dd49266307b024a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f147ecfb-29a6-42bb-ab2b-4ae668acdfc6/cuntos_mililitros_son_30_g.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.