Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b21c6d9f942262d…

MALICIOUS

PDF

50.6 KB Created: 2020-12-19 12:53:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 29f5581a84a9fc8aca7cc36ce6679862 SHA-1: cf3617535b0e7a2bfce48b181c7dc80a38baa2a3 SHA-256: 0b21c6d9f942262d1c38f0733b8a09d912abdbcee566494087947b446d60e4d6
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a large number of external links, with a specific heuristic identifying it as a 'PDF_SEO_LINK_FARM'. The primary URL observed is traffset.ru, which is associated with malicious activity. The ML classifier also flagged this PDF with high confidence. No scripts were extracted, but the structure suggests a malicious intent to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9726

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=phy+android+17+dokkan+wiki
    • https://tifedufuzitiji.weebly.com/uploads/1/3/4/3/134353288/4994119.pdf
    • https://static.s123-cdn-static.com/uploads/4368949/normal_5fc88e01b40e9.pdf
    • https://bevabuje.weebly.com/uploads/1/3/4/8/134897483/38af5554fd2a.pdf
    • https://s3.amazonaws.com/jujojomojemiz/kill_bill_volume_1_parents_guide.pdf
    • https://uploads.strikinglycdn.com/files/88874efb-8a07-4c9b-ab60-0ee477bf2dd9/kokoro_natsume_soseki_goodreads.pdf
    • https://uploads.strikinglycdn.com/files/1786fcb0-4018-47f4-a01e-9b47908a2a7a/68809718586.pdf
    • https://uploads.strikinglycdn.com/files/cf68a705-6875-43e2-8373-fd06c2338529/kevisipipinijiwa.pdf
    • https://uploads.strikinglycdn.com/files/91569b35-26ee-413f-8187-45df38f4210d/42437207773.pdf
    • https://uploads.strikinglycdn.com/files/3b63b090-e339-4cf2-bca9-fe729646b227/precalculus_final_exam_with_answers_2017.pdf
    • https://uploads.strikinglycdn.com/files/6f85a3d1-4a15-45da-b8ab-fb4e05b604c7/the_captive_prince_manga.pdf
    • https://uploads.strikinglycdn.com/files/433c1b87-a0df-46a5-a773-c73ba81ef319/pewdiepie_youtuber_simulator_hack_apk.pdf
    • https://static1.squarespace.com/static/5fc56d932cf09257bd8a04eb/t/5fca2ff8196a600d3c3b42ce/1607086076475/warzone_2100_download_linux.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.