Malicious PDF — malware analysis report

Static analysis result for SHA-256 201ef238e145f1a0…

MALICIOUS

PDF

33.6 KB Created: 2020-10-26 01:29:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef60421be3a0bdf0e67a03b97bff1836 SHA-1: 6e1d46a234b2c51da0724e02756b761a3471d1c7 SHA-256: 201ef238e145f1a08593714d65238e6faa2e4c1ec914dbf6d0f9a0613ac68293
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to known malicious redirectors or suspicious domains. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' specifically flags a link to 'gettraff.ru', indicating a redirection to malicious infrastructure. The 'PDF_SEO_LINK_FARM' heuristic further suggests the document is designed to host a large number of external links, likely for SEO manipulation or to distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=business+english+reading+exercises+pdf
    • https://wavuvavezexa.weebly.com/uploads/1/3/0/7/130775629/kawizorimasami.pdf
    • https://jufaxexave.weebly.com/uploads/1/3/0/7/130775513/wupovuniregumemava.pdf
    • https://nunezexivu.weebly.com/uploads/1/3/4/4/134440215/rofazewe_tokora_gekufibudo.pdf
    • https://cdn-cms.f-static.net/uploads/4369142/normal_5f88da24dfa0b.pdf
    • https://cdn-cms.f-static.net/uploads/4392191/normal_5f8f83259ac1a.pdf
    • https://cdn-cms.f-static.net/uploads/4370089/normal_5f8d3186c515e.pdf
    • https://uploads.strikinglycdn.com/files/1575d0ab-24fa-4ee9-9037-0b0d24fe81b7/tujedokijagorexugad.pdf
    • https://uploads.strikinglycdn.com/files/5b9d2ee0-fa41-4ef6-8e3a-f56e575eb8fc/rovumijodepetujuvane.pdf
    • https://uploads.strikinglycdn.com/files/438b9ab5-cb40-4f3f-afca-962cd13bfc12/past_simple_tense_positive_negative.pdf
    • https://s3.amazonaws.com/wovigebi/azure_data_factory_v2_documentation.pdf
    • https://s3.amazonaws.com/fokapikow/canterbury_tales_the_clerk_s_tale.pdf
    • https://s3.amazonaws.com/pibajuwi/gojomimirakimofipezudixu.pdf
    • https://uploads.strikinglycdn.com/files/ccf5bca9-7378-4aa9-a5a4-6a4f51b0e8a5/mujaredatitazibul.pdf
    • https://uploads.strikinglycdn.com/files/61f95d06-521a-46e8-b69d-6758afcaf2df/netgear_wifi_extender_n300_manual.pdf
    • https://uploads.strikinglycdn.com/files/37417d81-92c0-4412-ba1e-0893151d4e8c/31362711593.pdf
    • https://uploads.strikinglycdn.com/files/a29c00d9-5bb5-4898-8a65-8bfa89a5e5a2/algebra_y_trigonometria_sullivan_9_edicion.pdf
    • https://s3.amazonaws.com/mijedusovineti/administrative_science_quarterly_journal.pdf
    • https://s3.amazonaws.com/jiguwuzobozobaz/78031524898.pdf
    • https://s3.amazonaws.com/loxopudizus/bob_cordell_designing_audio_power_amplifiers.pdf
    • https://s3.amazonaws.com/pibajuwi/kurivesuzurubo.pdf
    • https://s3.amazonaws.com/susopuzupure/ct_cerebral_angiography.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.