Malicious PDF — malware analysis report

Static analysis result for SHA-256 34b6c402295f5424…

MALICIOUS

PDF

19.0 KB Created: 2020-10-29 17:42:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80961a481a43513faf8093ca7c6541e4 SHA-1: c1f1cc6bf4299a504e095ce0eff71512b04a0779 SHA-256: 34b6c402295f54247afda74ee49662b0760b37233416db4dc6fe87ca548f216a
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF is identified as an image-only lure, typical of phishing attacks, designed to trick users into clicking a link. The embedded link directs to a known malicious redirector, which likely serves further malicious content or leads to a phishing page. The document also contains a large number of external PDF links, suggesting a link farm or SEO manipulation tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 19 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=angelfall+pdf+pl
    • https://xalipifizipig.weebly.com/uploads/1/3/1/3/131379045/xuzifubuza_merefajif_debukoromofimo_dujumerajamol.pdf
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/bagatazojiz_sidatasofugugor_sofaxazute_gureluf.pdf
    • https://latijivetazemor.weebly.com/uploads/1/3/0/7/130775002/90a2f.pdf
    • https://tubenuluni.weebly.com/uploads/1/3/1/4/131437864/388efb16d8559cf.pdf
    • https://mubojage.weebly.com/uploads/1/3/4/3/134377346/zasobusoribi.pdf
    • https://kokexofagisukop.weebly.com/uploads/1/3/2/7/132710589/1052771.pdf
    • https://nixofukotozawe.weebly.com/uploads/1/3/4/3/134313466/walex.pdf
    • https://fizolapojola.weebly.com/uploads/1/3/1/3/131383549/sibinesuniwosaludazo.pdf
    • https://ditiwudo.weebly.com/uploads/1/3/1/4/131452947/5123063.pdf
    • https://vozutadisifik.weebly.com/uploads/1/3/1/4/131483249/662261.pdf
    • https://uploads.strikinglycdn.com/files/a650a5b6-7729-4b9c-90de-bc2394dcc589/vox_ac4tv_schematic.pdf
    • https://cdn.shopify.com/s/files/1/0483/6612/5219/files/engineering_mechanics_easy_engineering.pdf
    • https://uploads.strikinglycdn.com/files/4e25e6e8-fa8a-4d8f-8f0c-d286288868ed/nujeluxixijazogenonetupu.pdf
    • https://cdn.shopify.com/s/files/1/0484/6678/8506/files/wanak.pdf
    • https://uploads.strikinglycdn.com/files/3ea140e5-bf24-4fb6-8b91-d1f2694d7b72/grimoire_for_the_green_witch_a_compl.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.