Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b7b0fd208da4d9e…

MALICIOUS

PDF

21.9 KB Created: 2020-10-10 15:52:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ac22a153af5bc3897df7cb5c267d2e9 SHA-1: 3ea0cf0569f578312916175597d61ff91b7a884d SHA-256: 4b7b0fd208da4d9eaa92414b64cad29f04b15938c7522145b88e79041d052896
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF is designed as an image-only lure, typical of phishing, with a prominent malicious redirector link. This link leads to a link farm containing numerous other PDF documents, suggesting a campaign to distribute content or traffic. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 21 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=no+man%2527s+sky+frigate+stats
    • http://baborol.blissfulbecomings.com/uploads/1/3/2/3/132303195/dafafovitinopip.pdf
    • http://witobewup.newyorkdiamondbling.com/uploads/1/3/0/7/130739678/6953256.pdf
    • http://files.hollishistoricalsociety.org/uploads/1/3/0/7/130740264/jinikijelonafom.pdf
    • http://files.bestitalianvacations.com/uploads/1/3/2/3/132303164/mukogalu-libigeba-gumutavede-derogelipoz.pdf
    • https://cdn.shopify.com/s/files/1/0430/9617/8845/files/national_board_certified_teacher.pdf
    • https://cdn.shopify.com/s/files/1/0497/1705/1553/files/ben_10_protector_of_earth_cheats.pdf
    • https://cdn.shopify.com/s/files/1/0497/2412/9437/files/wyse_administrator_password_windows_7_embedded.pdf
    • https://cdn.shopify.com/s/files/1/0482/9007/0689/files/bissell_little_green_machine_1400-7_manual.pdf
    • https://cdn.shopify.com/s/files/1/0500/7530/4094/files/haynes_w202_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0458/6573/0201/files/hill_climb_racing_hack_apk_download_unlimited_money_and_diamond.pdf
    • https://cdn.shopify.com/s/files/1/0496/5344/8857/files/26274330316.pdf
    • https://cdn.shopify.com/s/files/1/0435/2969/9482/files/43016880583.pdf
    • https://cdn.shopify.com/s/files/1/0434/0688/5027/files/3925140094.pdf
    • https://cdn.shopify.com/s/files/1/0431/6053/5196/files/script_supervisor_log.pdf
    • https://cdn.shopify.com/s/files/1/0493/1282/5503/files/turbo_wifi_apk_download.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.