Malicious PDF — malware analysis report

Static analysis result for SHA-256 c756408d66afcf98…

MALICIOUS

PDF

67.6 KB Created: 2020-10-31 21:53:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25c91b567ee3721e1eddb06aa274ac67 SHA-1: 34c730d5e09fb35a3330c5a25806ca7ea8e80593 SHA-256: c756408d66afcf98edeb4655e6537e8b7025377169aea44609603eb9c7b35675
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, identified as a link farm, that redirect to known malicious infrastructure. The primary malicious URL observed is https://gettraff.ru/aws?keyword=italo+calvino+pdf+libri. The document's structure and embedded links strongly suggest it is designed to lead users to potentially harmful websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9703

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=italo+calvino+pdf+libri
    • https://cdn-cms.f-static.net/uploads/4375207/normal_5f99fbac5b32d.pdf
    • https://cdn-cms.f-static.net/uploads/4407302/normal_5f92b3ae47a48.pdf
    • https://cdn-cms.f-static.net/uploads/4366362/normal_5f8750c1db999.pdf
    • https://junoxavod.weebly.com/uploads/1/3/1/3/131384771/8762215.pdf
    • https://riragojefo.weebly.com/uploads/1/3/1/8/131857115/ef6b4.pdf
    • https://cdn-cms.f-static.net/uploads/4415308/normal_5f98013418690.pdf
    • https://mumixopid.weebly.com/uploads/1/3/1/8/131872042/lixuradigitotup_porotijelu_lojolexowepole.pdf
    • https://cdn-cms.f-static.net/uploads/4373999/normal_5f934083e451c.pdf
    • https://jowizixevudaw.weebly.com/uploads/1/3/4/4/134489406/gegolenidafef-tobozinegevuxez.pdf
    • https://medizagokitoni.weebly.com/uploads/1/3/2/3/132303310/zelex.pdf
    • https://gapefupekud.weebly.com/uploads/1/3/1/8/131871489/zelukaxut.pdf
    • https://bajusumuke.weebly.com/uploads/1/3/2/7/132741128/mawakagudovow.pdf
    • https://rijizego.weebly.com/uploads/1/3/0/7/130776487/loxewuponeradek_fimibulole_kuxaxum_fofanipu.pdf
    • https://tipiridevozono.weebly.com/uploads/1/3/4/3/134349557/e5b4703f4bf0c7.pdf
    • https://cdn.shopify.com/s/files/1/0501/4532/9340/files/imperial_armor_13.pdf
    • https://s3.amazonaws.com/wegemebufojafak/32633396496.pdf
    • https://s3.amazonaws.com/tadovu/psicologia_forense_que_es.pdf
    • https://cdn.shopify.com/s/files/1/0440/1030/7749/files/19225125451.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.