Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f1ff3e38d964824…

MALICIOUS

PDF

67.6 KB Created: 2020-12-26 22:47:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3979be94293d8af4e503cb521d34bc4 SHA-1: a751b6d2bfebd743654a258705152482961f4cad SHA-256: 7f1ff3e38d964824471a2925a754a822ea06b0c7112c493a7d8a62a6d175ee54
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' indicate a strong attempt to direct users to potentially harmful external sites. The ML classifier and ClamAV detection further support its malicious nature, suggesting it's part of a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9063

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=dolce+gusto+krups+manual
    • https://gimalijuvilonur.weebly.com/uploads/1/3/4/6/134619020/guluj_nifoxufi_vuvudusagimu_xubexulasevov.pdf
    • https://cdn-cms.f-static.net/uploads/4449987/normal_5fa6e7ecc40eb.pdf
    • https://lazumuron.weebly.com/uploads/1/3/4/8/134863931/252ed2317612.pdf
    • https://cdn-cms.f-static.net/uploads/4416143/normal_5fc149523f6d4.pdf
    • https://gomemetunugup.weebly.com/uploads/1/3/2/7/132712315/eab5f6968e2412.pdf
    • https://xupulepil.weebly.com/uploads/1/3/4/3/134322414/b40787293cf64c4.pdf
    • https://sawotulexude.weebly.com/uploads/1/3/5/2/135298589/6558050.pdf
    • https://s3.amazonaws.com/jotizifime/sifapinar.pdf
    • https://s3.amazonaws.com/tejuvonixag/what_does_it_mean_to_archive_order_amazon.pdf
    • https://uploads.strikinglycdn.com/files/694195f7-5d92-42f0-a4ba-63cbf1caae72/the_ocean_at_the_end_of_the_lane_summary_chapter_3.pdf
    • https://uploads.strikinglycdn.com/files/534cd137-b3fa-4c5a-86b5-c5debe4ae5e9/elements_of_drama_video.pdf
    • https://s3.amazonaws.com/vokeri/sajazunosanu.pdf
    • https://uploads.strikinglycdn.com/files/72d910b2-e7af-4faa-952e-f395b7e7dfde/zidejaluvuvirolexobabi.pdf
    • https://uploads.strikinglycdn.com/files/3c4f4b77-e1e0-49b9-a980-b754f3486180/i_wish_i_was_pretty_lyrics.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.