Malicious PDF — malware analysis report

Static analysis result for SHA-256 c40e45c48734bd40…

MALICIOUS

PDF

17.5 KB Created: 2020-11-03 15:45:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64ed83160fd87d7706cfbee262df74c8 SHA-1: 582356b0d7c9c5af5fa63373c9e309e30ac4741f SHA-256: c40e45c48734bd4041b1dc259195371d5e3d20806b21edfdb69d16a950af565c
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious due to its structure, which resembles an image-only lure designed to trick users into clicking a link. The embedded URL, https://gettraff.ru/strik?keyword=diablo+3+season+21+fast+leveling+guide, is flagged as a known malicious redirector. This suggests the document's primary purpose is to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 17 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=diablo+3+season+21+fast+leveling+guide
    • https://cdn-cms.f-static.net/uploads/4367283/normal_5f87ac17bc2f0.pdf
    • https://cdn-cms.f-static.net/uploads/4411273/normal_5f95f72dd5f7f.pdf
    • https://cdn-cms.f-static.net/uploads/4375909/normal_5f92a9a3daa51.pdf
    • https://cdn-cms.f-static.net/uploads/4366036/normal_5f88756077f54.pdf
    • https://cdn-cms.f-static.net/uploads/4367927/normal_5f9a590b202bc.pdf
    • https://cdn-cms.f-static.net/uploads/4407069/normal_5f9c8835b63ef.pdf
    • https://uploads.strikinglycdn.com/files/bbc9ae31-b2c8-44a3-90a3-d5b240a17a71/64111889935.pdf
    • https://uploads.strikinglycdn.com/files/ef489a02-cbc0-4f5f-b1cb-2bb675f421d0/4236336594.pdf
    • https://uploads.strikinglycdn.com/files/6c239025-3cfa-4550-8313-1bea00979e80/information_technology_aptitude_test.pdf
    • https://s3.amazonaws.com/fotojipifuzitul/tewupufijalufafatipowe.pdf
    • https://s3.amazonaws.com/tizowodifi/agostinho_ramalho_marques_neto_a_ciencia_do_direito.pdf
    • https://s3.amazonaws.com/patotale/best_iptv_2019_firestick.pdf
    • https://uploads.strikinglycdn.com/files/ec36ac0e-1a62-4d3d-92c5-a498088e1e5b/30441911537.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.