Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1bef65966fee853…

MALICIOUS

PDF

16.0 KB Created: 2020-10-14 05:50:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a482b7ec49d594a36f55481b41b4a54 SHA-1: 8f683f212d2c8951b3b9e2dc0abeac85a9f1f70f SHA-256: c1bef65966fee853c8b49c0eed4d3cdc44fa44336f88a3434a5b2bb7a2dfd9d8
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF is designed as an image-only lure, typical of phishing or malware delivery. It contains a critical malicious redirector link pointing to 'https://gettraff.ru/strik?keyword=taponamiento+cardiaco+tratamiento+pdf', which is likely the first stage of a malicious chain. The document also includes a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 16 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=taponamiento+cardiaco+tratamiento+pdf
    • https://cdn.shopify.com/s/files/1/0483/5518/0695/files/future_minecraft_client.pdf
    • https://cdn.shopify.com/s/files/1/0502/2407/0814/files/java_tutorial_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0485/7800/3109/files/vinen.pdf
    • https://cdn.shopify.com/s/files/1/0484/0013/8398/files/teacup_maltese_for_sale_arizona.pdf
    • https://cdn.shopify.com/s/files/1/0484/1147/6126/files/71867936122.pdf
    • https://cdn.shopify.com/s/files/1/0478/4055/9263/files/31710045340.pdf
    • https://cdn.shopify.com/s/files/1/0460/6951/4404/files/first_day_of_school_2015_ontario.pdf
    • https://cdn.shopify.com/s/files/1/0430/3860/5461/files/zigumatedarawozi.pdf
    • https://cdn.shopify.com/s/files/1/0266/9720/3886/files/diamond_nose_ring_zales.pdf
    • https://cdn.shopify.com/s/files/1/0431/0676/2905/files/alpha_phi_alpha_colors.pdf
    • https://cdn.shopify.com/s/files/1/0498/3809/6546/files/15121682227.pdf
    • https://cdn.shopify.com/s/files/1/0431/2019/7789/files/vanufifubamadi.pdf
    • https://cdn.shopify.com/s/files/1/0438/5007/2214/files/fixoxezolozela.pdf
    • https://cdn.shopify.com/s/files/1/0432/6172/2786/files/cope_health_scholars_promo_code.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.