Malicious PDF — malware analysis report

Static analysis result for SHA-256 380512d98b747dc7…

MALICIOUS

PDF

50.6 KB Created: 2020-11-20 10:00:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7c61176831e363f20b4488ceb420779 SHA-1: 72c2ca4ecbbbf75e2797364dde6bfb85e87915a7 SHA-256: 380512d98b747dc785ea66e7143e373cc17f1512292fa9245bbc4d0d42bbc213
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document is designed as a phishing lure, presenting itself as a screenshot to entice users to click a link. The embedded link, https://traffmen.ru/aws?utm_term=cursive+writing+letter+formation+sheets, is identified as a malicious redirector, indicating a probable attempt to lead the user to a malicious site. The presence of numerous other PDF links further suggests a link farm or SEO poisoning tactic to distribute the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6502

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 50 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=cursive+writing+letter+formation+sheets
    • https://cdn-cms.f-static.net/uploads/4369908/normal_5fa40d0baf64a.pdf
    • https://cdn-cms.f-static.net/uploads/4390382/normal_5fa12dd4db3c4.pdf
    • https://cdn-cms.f-static.net/uploads/4426822/normal_5f9b268f4d437.pdf
    • https://dimaxafazeza.weebly.com/uploads/1/3/1/4/131453031/ff51353ffd7b.pdf
    • https://cdn-cms.f-static.net/uploads/4393904/normal_5f9be1ac64f25.pdf
    • https://cdn-cms.f-static.net/uploads/4372735/normal_5f8bf449ed689.pdf
    • https://uploads.strikinglycdn.com/files/12bc20b2-dd6d-455c-a6e0-12cd9ab042c6/ruzepazipukixaroboz.pdf
    • https://uploads.strikinglycdn.com/files/dad12d85-e2ed-4052-afc7-f476da6d17cc/.pdf
    • https://uploads.strikinglycdn.com/files/56c9e140-da1a-4b6e-ab62-7ee737c1bfb4/91650400497.pdf
    • https://uploads.strikinglycdn.com/files/a15b86dd-ffce-417b-8fdf-f93ee4066830/70609517270.pdf
    • https://s3.amazonaws.com/sivanira/3316113193.pdf
    • https://uploads.strikinglycdn.com/files/4788e303-5188-42d8-b38b-46c322350e35/gedorat.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.