Malicious PDF — malware analysis report

Static analysis result for SHA-256 f12a85d1b3ad3f4c…

MALICIOUS

PDF

23.6 KB Created: 2020-10-09 19:55:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87fd5fb34a470bb9644d91c9e16d8395 SHA-1: 8c9274d5578b5c64db866b9e9e35d0c5771303ea SHA-256: f12a85d1b3ad3f4c3305f0ce28f0767f057bd51219706b54e6658cb71fb8f7b4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external PDF files, a technique often used for SEO manipulation or to obscure malicious destinations. One of these links, https://gettraff.ru/strik?keyword=navy+rating+os, is identified as a known malicious redirector. While no scripts were extracted, the presence of a malicious redirector and a link farm suggests an attempt to lead the user to a compromised or malicious site, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=navy+rating+os
    • https://site-1036798.mozfiles.com/files/1036798/vupapivagutedur.pdf
    • https://site-1041489.mozfiles.com/files/1041489/wivak.pdf
    • https://site-1036748.mozfiles.com/files/1036748/fisegiwi.pdf
    • https://uploads.strikinglycdn.com/files/1407b2dd-1082-4c27-be24-5decadf11077/9038509473.pdf
    • https://uploads.strikinglycdn.com/files/53348487-d42f-4558-a335-c0725803cf1d/widotuposelud.pdf
    • https://uploads.strikinglycdn.com/files/cb2c8eff-aa15-4e6b-8b0a-87fbb866b92c/fulenowexokenut.pdf
    • https://cdn.shopify.com/s/files/1/0433/0081/4998/files/nulasokisumavuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/1363/5226/files/bed_head_hair_waver.pdf
    • https://cdn.shopify.com/s/files/1/0484/8081/3217/files/ralomiguzi.pdf
    • https://uploads.strikinglycdn.com/files/17c86bed-9da0-4640-8837-71c46ac225f5/16152591790.pdf
    • https://uploads.strikinglycdn.com/files/46f10e09-36c9-4eda-b1f3-63d7324416da/tazologetegenade.pdf
    • https://uploads.strikinglycdn.com/files/3b1aeb04-c0e8-4203-ab6b-2dc9a95378dc/44639638283.pdf
    • https://uploads.strikinglycdn.com/files/74e61d17-df64-4662-8e4e-ea0c95bf82a4/wodiw.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.