Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7032cfc927f7656…

MALICIOUS

PDF

18.6 KB Created: 2020-10-28 20:33:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a08d95b65c4288e9880b51fe3568b0c6 SHA-1: 9e00b923d963bf6c210ac67f54f1a2c68e1fd6c9 SHA-256: e7032cfc927f7656b7c04be8462f2add9484b08350453f36da9b99a4751c98d9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to known malicious redirector infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The embedded URL 'https://gettraff.ru/aws?keyword=toy+blast+hack+no+survey' is the primary indicator of malicious intent. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL suggests the document is designed to redirect users to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9914

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=toy+blast+hack+no+survey
    • https://s3.amazonaws.com/fasanag/libro_cerebrito_descargar.pdf
    • https://uploads.strikinglycdn.com/files/cae627ba-67ee-44ac-aed5-922237a614fc/21028247562.pdf
    • https://uploads.strikinglycdn.com/files/0a28767e-2dbe-48b6-88f9-f6c1fd4d8edc/57589172853.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.