Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3927b4497446b33…

MALICIOUS

PDF

12.2 KB Created: 2020-07-10 07:26:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 19e2d4fd382e233fd3bf99e1c0fbc62a SHA-1: 82336416644ac3bc6fabaa352887fd5d2bd1ef89 SHA-256: e3927b4497446b3305785f5abccedb7151a952b145becfb7d37dabb439bb948c
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

This PDF document is identified as a malicious redirector, likely a phishing lure. The document body contains a screenshot-like appearance with embedded URLs, including a primary malicious redirector at 'https://ttraff.cc/wb?keyword=aflac%20accident%20insurance%20pdf'. The heuristic firings confirm it's an image-only lure with malicious redirect links and a link farm, strongly suggesting its purpose is to direct users to harmful content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 12 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=aflac%20accident%20insurance%20pdf
    • http://files.dianapoems.com/uploads/1/3/2/7/132740923/tavasotufozuduxa.pdf
    • http://files.cottagerowgallerydc.com/uploads/1/3/1/4/131453241/lujele.pdf
    • http://files.stagingbynikki.com/uploads/1/3/1/4/131438002/lugumusuguj.pdf
    • http://files.ewbbu.com/uploads/1/3/2/6/132695467/2263740.pdf
    • http://files.juliesoliloquy.com/uploads/1/3/2/3/132303138/nedonikatufe.pdf
    • http://files.todayhousing.com/uploads/1/3/0/9/130969243/vanamogukalazak.pdf
    • http://files.summit-import.com/uploads/1/3/0/7/130775372/a48de666c88c21.pdf
    • http://files.nadinina.com/uploads/1/3/1/4/131438835/tidujeno.pdf
    • https://lekarizite.files.wordpress.com/2020/07/mafidif.pdf
    • https://lumuvix.files.wordpress.com/2020/06/pubuj.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.