Malicious PDF — malware analysis report

Static analysis result for SHA-256 794172071a64bdfe…

MALICIOUS

PDF

18.6 KB Created: 2020-10-03 13:55:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 707b95c22b1b7452d8b015f82e7c745f SHA-1: 63557d394635e4ccc103d968e13f0dbcc2f1528b SHA-256: 794172071a64bdfe6a36dc513932e7787449523244a5e204836de02272d16e7d
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file is designed as a lure, presenting itself as a document but containing a clickable link that redirects to malicious infrastructure. The heuristic firings indicate it's an image-only document with an action trigger, typical of phishing attempts. The primary malicious IOC is the redirector URL, which likely leads to further stages of the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 18 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=cristianismo+puro+e+simples+livro+pdf
    • https://site-1037222.mozfiles.com/files/1037222/24085352147.pdf
    • https://site-1036760.mozfiles.com/files/1036760/96190570263.pdf
    • http://files.alovettingram.com/uploads/1/3/1/4/131409709/6533887.pdf
    • http://juxeni.bowmanacademics.com/uploads/1/3/1/3/131380213/2438073.pdf
    • http://files.kidschangetheworld.org/uploads/1/3/0/7/130775498/2563392.pdf
    • http://files.axevmc.com/uploads/1/3/0/7/130738720/ramuxe-mezikox-vumowosofavusu-sejuraxakup.pdf
    • http://files.calliopeahc.org/uploads/1/3/2/6/132695780/tekigelaru.pdf
    • http://files.zvovtrio.com/uploads/1/3/0/9/130969377/jepexexikurilixuz.pdf
    • http://files.kelseysq.com/uploads/1/3/0/7/130776599/pawuj-vigisanugeguwe-zigosogome-bunusujav.pdf
    • http://files.piercecountyscd.org/uploads/1/3/2/6/132681690/pofoditufo-zupikulura-jupefu-vezagewi.pdf
    • http://files.yaaitsanartstudio.com/uploads/1/3/0/7/130775413/41983ed9841fd3.pdf
    • https://cdn.shopify.com/s/files/1/0432/5644/7136/files/wonderfox_dvd_ripper_pro_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/1141/4943/files/18285786701.pdf
    • https://cdn.shopify.com/s/files/1/0428/3380/5471/files/kira_kira_chapter_2_summary.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.