Malicious PDF — malware analysis report

Static analysis result for SHA-256 2991ca838c971823…

MALICIOUS

PDF

23.6 KB Created: 2020-10-31 03:29:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c00bc4f6e8236fda933978212e816d7 SHA-1: 425eb38f4508eeb53f9d894ec46bf822dc644492 SHA-256: 2991ca838c97182374919df6dee7a8fbd1a56be30891bdb21eb3b04041389c95
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to redirector infrastructure or link farms, indicating a malicious intent to direct users to potentially harmful sites. The heuristic firings confirm the presence of malicious redirector links and a link farm, suggesting this PDF is part of a larger SEO poisoning or phishing campaign. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=fire+protection+minecraft+id
    • https://sifukimoja.weebly.com/uploads/1/3/4/3/134357082/37539ffc2eb70.pdf
    • https://lupolaluxu.weebly.com/uploads/1/3/2/6/132681144/zutejakojanosor_xipuwokewo_tuxesikupelej_bejes.pdf
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/4045700.pdf
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/1158663.pdf
    • https://cdn-cms.f-static.net/uploads/4383916/normal_5f96898536992.pdf
    • https://s3.amazonaws.com/bajapovogam/43053166003.pdf
    • https://cdn.shopify.com/s/files/1/0500/5213/7128/files/ruraxusepasobijuto.pdf
    • https://s3.amazonaws.com/dugibabafod/88751098871.pdf
    • https://s3.amazonaws.com/nagev/kewobekagitomutupinugu.pdf
    • https://s3.amazonaws.com/zuxadol/casio_g_shock_3230_manual.pdf
    • https://s3.amazonaws.com/susopuzupure/speak_now_1.pdf
    • https://s3.amazonaws.com/kavitokolezub/nccn_guidelines_breast_cancer_2014.pdf
    • https://s3.amazonaws.com/zobuwubedak/x86_assembly_language_book.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.