Malicious PDF — malware analysis report

Static analysis result for SHA-256 35200074aa65abb4…

MALICIOUS

PDF

16.6 KB Created: 2020-11-08 11:33:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e5d6571396949568eb667adbb421ce5 SHA-1: 0c8edfcd54e8a65f2b7b74abdafcadf8dd3a6bc0 SHA-256: 35200074aa65abb4f7e8c13881f90010faeb282568f4ea61da86827678f77e61
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a large number of external links within the document. The presence of a URL pointing to 'trafffi.ru' further supports the malicious intent, suggesting a potential traffic redirection or phishing scheme. No scripts were extracted, but the document's structure and embedded links are indicative of a malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?keyword=grand+summoners+tier+list
    • https://cdn-cms.f-static.net/uploads/4379029/normal_5f8d4a4ed2be0.pdf
    • https://uploads.strikinglycdn.com/files/9ce2e216-c154-4708-b39d-e98d6d902d0c/88271876449.pdf
    • https://uploads.strikinglycdn.com/files/ff2cf5e4-d489-41d3-a569-77a49117c1d2/72629331991.pdf
    • https://uploads.strikinglycdn.com/files/be972ba1-4bc5-451e-a677-c2741d196fc9/lugajidemeninumurabogetu.pdf
    • https://uploads.strikinglycdn.com/files/ffbf3ede-d692-420c-86f2-ab7e0230cfeb/novedawarevuzetuw.pdf
    • https://lomajunon.files.wordpress.com/2020/11/40944383779.pdf
    • https://uploads.strikinglycdn.com/files/c23eb635-5a30-49c2-ba9b-5986d2d0f539/90741853115.pdf
    • https://tevarew.files.wordpress.com/2020/11/88608638079.pdf
    • https://safopidupi.files.wordpress.com/2020/11/lobonuvowomevapufa.pdf
    • https://uploads.strikinglycdn.com/files/bafbfe35-bc68-4afd-89f1-5bbddc7c1353/93161363990.pdf
    • https://uploads.strikinglycdn.com/files/204e394b-e277-4e98-87c7-217452edf298/41985277061.pdf
    • https://uploads.strikinglycdn.com/files/bde92922-7e44-4a7d-aa88-6bbb44ed1a33/live_hotmail_sign_in.pdf
    • https://uploads.strikinglycdn.com/files/89700688-91a7-4aef-aef2-773e2c436789/costco_cake_order_form_usa.pdf
    • https://uploads.strikinglycdn.com/files/10eb788a-a03d-4bd1-9532-db222df78fe3/nutrition_information_carrot_cake_slice.pdf
    • https://uploads.strikinglycdn.com/files/1403f122-5413-4de4-a3cd-c67b8384061a/tididemekuginufuwazobe.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.