Malicious PDF — malware analysis report

Static analysis result for SHA-256 07f4976800199be6…

MALICIOUS

PDF

37.6 KB Created: 2020-10-28 10:22:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4380d5b72d54495935ee7a2b902af94 SHA-1: 851acc6c195ba04f2cd19d421d06dee192ae02b3 SHA-256: 07f4976800199be6802b63c302a291fc2c045040fa47d70162091d2fe38e94c9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to external PDF files, characteristic of a link farm. One of these links directs to a known malicious redirector, indicating an attempt to lead the user to harmful content. The document body itself is heavily obfuscated and contains the malicious URL, suggesting it's part of a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=learning+curve+urban+dictionary
    • https://cdn-cms.f-static.net/uploads/4368475/normal_5f87894d99989.pdf
    • https://cdn-cms.f-static.net/uploads/4402721/normal_5f967dcb61b00.pdf
    • https://cdn-cms.f-static.net/uploads/4374199/normal_5f91ef19d52fa.pdf
    • https://cdn-cms.f-static.net/uploads/4366004/normal_5f8d942819205.pdf
    • https://cdn-cms.f-static.net/uploads/4383692/normal_5f8c68c6a7878.pdf
    • https://cdn-cms.f-static.net/uploads/4389585/normal_5f91d77b5a3a1.pdf
    • https://cdn-cms.f-static.net/uploads/4379233/normal_5f90579d62f09.pdf
    • https://cdn-cms.f-static.net/uploads/4413465/normal_5f945a166fe9f.pdf
    • https://cdn-cms.f-static.net/uploads/4384150/normal_5f9772ce1633a.pdf
    • https://cdn.shopify.com/s/files/1/0480/1475/3951/files/20169621892.pdf
    • https://cdn.shopify.com/s/files/1/0498/0218/2809/files/57776163524.pdf
    • https://cdn.shopify.com/s/files/1/0482/2653/3528/files/habbo_swat_ranks.pdf
    • https://uploads.strikinglycdn.com/files/f494f68b-e51e-4a97-b57c-0b7a708835ed/58262918014.pdf
    • https://uploads.strikinglycdn.com/files/ba0e8fee-8f2e-4ec2-a494-29c5c513e0e7/62940110327.pdf
    • https://uploads.strikinglycdn.com/files/6cf3060c-ab51-486e-b09c-765f64d0848f/land_of_the_dead_full_movie_download.pdf
    • https://uploads.strikinglycdn.com/files/b789a3d8-fdda-406d-bf3f-d230f1aa52af/jijeredekif.pdf
    • https://uploads.strikinglycdn.com/files/a204f434-6802-4287-a276-e3a3a8052902/14555568620.pdf
    • https://uploads.strikinglycdn.com/files/0a94ca1c-a2ad-4117-b584-e7d56ba3b157/tau_battlesuit_size.pdf
    • https://uploads.strikinglycdn.com/files/f5d5caa0-f118-408f-8ffd-4513178abccf/kiwovumilurilajo.pdf
    • https://uploads.strikinglycdn.com/files/a8173b06-b94b-4772-b9e4-260ee81d2ad4/venaxomejotididesel.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.