Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac365d5e960bd4df…

MALICIOUS

PDF

41.4 KB Created: 2020-10-31 19:33:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 682abb6ddb99af96ff41d056f602cab5 SHA-1: b617cb625d540c3c77df002e640c1fa5e763b8ef SHA-256: ac365d5e960bd4df2970df676be60ea899da11f2f6454f485e17066612e9fe1f
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF is an image-only document designed as a lure, containing a clickable link that redirects to malicious infrastructure. The document body, though heavily obfuscated, contains URLs that are also listed as embedded URLs. The presence of multiple external PDF links suggests a link farm, a common tactic for SEO poisoning or distributing malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 41 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=private+investigator+forms+pdf
    • https://cdn-cms.f-static.net/uploads/4366381/normal_5f8961f5e1819.pdf
    • https://cdn-cms.f-static.net/uploads/4369772/normal_5f8aa05f3ca65.pdf
    • https://cdn-cms.f-static.net/uploads/4370064/normal_5f9a4345c68ca.pdf
    • https://cdn-cms.f-static.net/uploads/4403128/normal_5f9c0acbbf91d.pdf
    • https://bewapuvin.weebly.com/uploads/1/3/1/4/131453684/6f3b3fd.pdf
    • https://cdn-cms.f-static.net/uploads/4368504/normal_5f89097dcdf7d.pdf
    • https://tavumake.weebly.com/uploads/1/3/2/7/132740551/016c0.pdf
    • https://cdn-cms.f-static.net/uploads/4425917/normal_5f9a3fab93dd9.pdf
    • https://cdn-cms.f-static.net/uploads/4387428/normal_5f937a87d33f9.pdf
    • https://cdn-cms.f-static.net/uploads/4424991/normal_5f991b81ee072.pdf
    • https://cdn.shopify.com/s/files/1/0498/8452/8792/files/hunger_games_district_13.pdf
    • https://cdn.shopify.com/s/files/1/0506/9753/5642/files/antique_trader_salt_and_pepper_shaker_price_guide.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.