Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f99f9973a7e7749…

MALICIOUS

PDF

25.9 KB Created: 2020-10-31 09:01:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79e41416f7c43b4be09a20d630e864d0 SHA-1: 3dd62af08a9564512e2b40ca2a12ac9a0b34e352 SHA-256: 1f99f9973a7e7749403b7df8516b4204d37a8d54ab6e06cdf4679430de844366
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to redirector infrastructure or link farms. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that at least one of these links leads to known malicious infrastructure. The ML_NYX_PDF_MALICIOUS classifier also strongly flagged this document. The embedded URLs suggest an attempt to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=castlevania+lords+of+shadow+parents+guide
    • https://kizozejibudi.weebly.com/uploads/1/3/4/4/134460324/4292566.pdf
    • https://cdn-cms.f-static.net/uploads/4365546/normal_5f86fa7b8c8d0.pdf
    • https://cdn-cms.f-static.net/uploads/4367271/normal_5f87430689f69.pdf
    • https://s3.amazonaws.com/pewebopufupe/gedubimazu.pdf
    • https://s3.amazonaws.com/nemafu/graco_snugride_32_manual.pdf
    • https://s3.amazonaws.com/muvemasoxaji/number_bond_in_spanish.pdf
    • https://s3.amazonaws.com/rerinago/54028511197.pdf
    • https://s3.amazonaws.com/susopuzupure/zirisatunadipil.pdf
    • https://s3.amazonaws.com/zedudo/four_regions_of_texas.pdf
    • https://s3.amazonaws.com/mibiwivanetuj/bronchial_asthma_case_study.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.