Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6062c50ee60984e…

MALICIOUS

PDF

33.6 KB Created: 2020-11-07 02:21:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3c02c0488c1eff4694b58b022f31e85 SHA-1: 04737c57d6c4b32632c042b20d91951b727969a5 SHA-256: e6062c50ee60984e2b3086c962bde783f1a561199e973b0d859ed4904f217d99
172 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF is designed as a screenshot lure, presenting itself as an image to obscure clickable links. It contains a high number of external links, with one identified as a malicious redirector pointing to 'https://ggtraff.ru/aws?keyword=united+healthcare+open+enrollment+2020+dates'. The document body also contains this URL, suggesting it is the primary malicious destination. The presence of numerous PDF links indicates a link farm strategy, likely to improve SEO for malicious content or to distribute further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 33 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=united+healthcare+open+enrollment+2020+dates In PDF document text
    • https://cdn-cms.f-static.net/uploads/4421782/normal_5f9b388f89dc4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373259/normal_5fa2423e7871e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393209/normal_5f905f6dec53e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385614/normal_5f8e2f25d7830.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383321/normal_5f8c602d92ecd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403259/normal_5f976061ac5fc.pdfIn PDF document text
    • https://s3.amazonaws.com/vuliwisuwig/basketball_legends_unblocked_76_weebly.pdfIn PDF document text
    • https://kitudigerote.files.wordpress.com/2020/11/71153433961.pdfIn PDF document text
    • https://s3.amazonaws.com/wibedubosateg/mijifopib.pdfIn PDF document text
    • https://s3.amazonaws.com/baxunaf/42700537906.pdfIn PDF document text
    • https://sazaxasegu.files.wordpress.com/2020/11/26344682303.pdfIn PDF document text
    • https://nixeporebumo.files.wordpress.com/2020/11/haitun_automatic_pump_control_manual.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.