Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c39ebb0d992b8a5…

MALICIOUS

PDF

17.6 KB Created: 2020-10-28 15:36:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a42d9fc5ddc10843acddccdcce06fc0 SHA-1: 287630018c3b278a51397c0bddffef551efbfa4c SHA-256: 5c39ebb0d992b8a571c228c3e6691e53ded6b86722ecc7cd97a3975dfa2c6cd1
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as a malicious redirector link, likely intended as a phishing lure. It contains a single image and minimal text, characteristic of a screenshot lure designed to prompt user interaction. The embedded URL leads to known malicious infrastructure, suggesting an attempt to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 17 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=toyota+yaris+repair+manual+2012
    • https://cdn-cms.f-static.net/uploads/4425491/normal_5f97bb0434b8b.pdf
    • https://donodofi.weebly.com/uploads/1/3/1/8/131856097/zusoluwifivelefasefo.pdf
    • https://cdn-cms.f-static.net/uploads/4407795/normal_5f9790ad85f66.pdf
    • https://cdn-cms.f-static.net/uploads/4367013/normal_5f902fcd574a3.pdf
    • https://wovuxekas.weebly.com/uploads/1/3/4/3/134379471/megarofenaporite.pdf
    • https://uploads.strikinglycdn.com/files/ae2ab3bc-a0ac-4470-ab8d-744e1033c37b/the_queen_of_clean_complete_cleaning.pdf
    • https://uploads.strikinglycdn.com/files/f4c48df2-067e-4862-92ae-c9796c87f076/65397058587.pdf
    • https://uploads.strikinglycdn.com/files/13563e84-b53d-4b3d-8387-569a40ea13fa/45320103405.pdf
    • https://uploads.strikinglycdn.com/files/bbd636d7-fbec-4398-b4c4-14137f751ee8/zajavetifabemuvibam.pdf
    • https://cdn.shopify.com/s/files/1/0495/1428/3176/files/antony_beevor_world_war_2.pdf
    • https://cdn.shopify.com/s/files/1/0500/0046/1998/files/43710481193.pdf
    • https://cdn.shopify.com/s/files/1/0266/7662/5583/files/how_to_read_bass_tabs_youtube.pdf
    • https://uploads.strikinglycdn.com/files/918d560e-ad6c-4152-8449-cdb63fbec49d/gogotitibe.pdf
    • https://uploads.strikinglycdn.com/files/5cb0723f-d37f-498c-a4ab-6bbe4d92cf50/59872933940.pdf
    • https://uploads.strikinglycdn.com/files/9bad1c32-2736-48b8-afe7-89c08f8e01c0/35981766602.pdf
    • https://uploads.strikinglycdn.com/files/78762c76-f025-411c-b47f-5472ba975f59/balipupogizenevaz.pdf
    • https://uploads.strikinglycdn.com/files/49554bef-3d9d-417d-8475-a2670467c664/fearsome_faces_scream_mask.pdf
    • https://uploads.strikinglycdn.com/files/97fb5b19-e91f-45cd-8ca7-4d73fde74eac/25058425699.pdf
    • https://cdn.shopify.com/s/files/1/0502/8980/3461/files/7388478052.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.