Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca9b8c8470043eb5…

MALICIOUS

PDF

95.2 KB Created: 2020-10-27 05:01:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc837ba42d8ddd641844f9d217246067 SHA-1: fbae741db2f5facee8980ae14cd47010803df8c6 SHA-256: ca9b8c8470043eb54e7823d883189b57132ddf7f44ddfb647fb5c4436d09997f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics as malicious, specifically for containing a link farm and redirecting to known malicious infrastructure. The embedded URL 'https://ggtraff.ru/pify?keyword=fletcher-class+destroyer+losses' is a strong indicator of malicious intent, likely for phishing or scamming purposes. No scripts were extracted, but the PDF structure itself is indicative of a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9916

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=fletcher-class+destroyer+losses
    • https://posilopawirina.weebly.com/uploads/1/3/4/3/134353572/10c2742fff.pdf
    • https://nudopimiga.weebly.com/uploads/1/3/1/0/131070212/303904.pdf
    • https://fufivivol.weebly.com/uploads/1/3/0/8/130873849/724488.pdf
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/e5bcd2697.pdf
    • https://cdn-cms.f-static.net/uploads/4366009/normal_5f910d694e8b6.pdf
    • https://cdn-cms.f-static.net/uploads/4372980/normal_5f8a31c5d2d8e.pdf
    • https://uploads.strikinglycdn.com/files/d090152a-4800-456c-8e40-099cf272eb59/sewalodugedojuku.pdf
    • https://s3.amazonaws.com/zirojopemup/congenital_heart_disease_download.pdf
    • https://s3.amazonaws.com/bopuxosavubare/kerilosilosowobud.pdf
    • https://s3.amazonaws.com/putelekireza/sqlite_studio_tutorial.pdf
    • https://uploads.strikinglycdn.com/files/6628dfa1-9f19-4b51-a7b0-da67766fd471/warframe_fortuna_k-drive_race_locations.pdf
    • https://uploads.strikinglycdn.com/files/f7815e8d-a0e2-4e5d-8f5c-94006d0093f6/vixur.pdf
    • https://cdn.shopify.com/s/files/1/0502/1673/0799/files/vumimideg.pdf
    • https://cdn.shopify.com/s/files/1/0430/9506/4733/files/chamberlain_clicker_wireless_keypad_manual.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.