Malicious PDF — malware analysis report

Static analysis result for SHA-256 0236c0fbffa5ecfd…

MALICIOUS

PDF

20.6 KB Created: 2020-10-23 02:37:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 957310f7cef8c069ecc7d6d82947af58 SHA-1: c032f57d4a13cf61936f54ede74c9167386dc4c6 SHA-256: 0236c0fbffa5ecfd3e58707f94a5b09c2b4a7fdb95049161029483ed3c74ebce
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to external PDF files, which is indicative of a link farm or SEO spam campaign. One critical heuristic identified a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains URLs that are likely used to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=physical+science+p1+grade+11+pdf
    • https://wefamojugibe.weebly.com/uploads/1/3/1/1/131164519/tamegevikijovigo.pdf
    • https://keniwuki.weebly.com/uploads/1/3/1/4/131483234/fibawubaxavuvabu.pdf
    • https://pesawesezopi.weebly.com/uploads/1/3/4/3/134327800/1797673.pdf
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/bekalan.pdf
    • https://cdn-cms.f-static.net/uploads/4368751/normal_5f8d1e0bdf721.pdf
    • https://cdn-cms.f-static.net/uploads/4385216/normal_5f8e72de3d383.pdf
    • https://cdn-cms.f-static.net/uploads/4366020/normal_5f86fa69a3699.pdf
    • https://cdn-cms.f-static.net/uploads/4366022/normal_5f8734eecb555.pdf
    • https://cdn-cms.f-static.net/uploads/4366642/normal_5f873a283d1cd.pdf
    • https://pinonomobeberex.weebly.com/uploads/1/3/4/3/134318871/turilezodosisa_tidebelu_jozezepo.pdf
    • https://mekuxiwefajup.weebly.com/uploads/1/3/0/7/130739023/fidase.pdf
    • https://cdn-cms.f-static.net/uploads/4403271/normal_5f91463115960.pdf
    • https://cdn-cms.f-static.net/uploads/4388613/normal_5f8ec5c2a9aae.pdf
    • https://cdn-cms.f-static.net/uploads/4369491/normal_5f8827afa3160.pdf
    • https://cdn-cms.f-static.net/uploads/4365612/normal_5f87465ee6e61.pdf
    • https://cdn-cms.f-static.net/uploads/4368752/normal_5f881b4420ab7.pdf
    • https://uploads.strikinglycdn.com/files/c7afee89-d638-49ad-b59a-9c781c2e0929/jidedoxebo.pdf
    • https://uploads.strikinglycdn.com/files/1ae82924-012e-4bda-8e90-ecfe61807050/waxodewidiv.pdf
    • https://uploads.strikinglycdn.com/files/ebda500f-3d85-4b5f-a5fb-fcb375813744/litixexikagirenavafiju.pdf
    • https://uploads.strikinglycdn.com/files/5f129b26-9343-4aba-8929-9e879c5529f0/oxford_student_atlas_for_india_f.pdf
    • https://cdn.shopify.com/s/files/1/0431/1433/2309/files/nerox.pdf
    • https://cdn.shopify.com/s/files/1/0476/1452/5596/files/alexx_banks_brain_flu_update_2019.pdf
    • https://cdn.shopify.com/s/files/1/0496/1819/0489/files/cochlear_implant_batteries_power_one.pdf
    • https://cdn.shopify.com/s/files/1/0435/6482/6773/files/53496481935.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.