Malicious PDF — malware analysis report

Static analysis result for SHA-256 297ebe9e5d4c98fa…

MALICIOUS

PDF

30.1 KB Created: 2020-10-24 09:29:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca5976ce752b0dc198625bebb6908af4 SHA-1: c797ab2839227d331994907cde8536c56a766dcd SHA-256: 297ebe9e5d4c98faf9a426e3f12be51c955e999939aac65b5054c9085e164b92
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, many pointing to Weebly-hosted PDFs, indicative of SEO poisoning. One prominent link directs to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'awning fabric replacement instructions' and the malicious URL, suggesting a lure to drive traffic to malicious infrastructure. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/123?keyword=solera+awning+fabric+replacement+instructions
    • https://fidegobopoj.weebly.com/uploads/1/3/2/8/132815019/229da070f.pdf
    • https://jubunukaf.weebly.com/uploads/1/3/1/4/131483214/gatufubuvali_kefosu_senuxirukate_satarezobo.pdf
    • https://narogigadi.weebly.com/uploads/1/3/0/8/130874066/f3cd3afa6d7ff.pdf
    • https://bizumoku.weebly.com/uploads/1/3/2/6/132681494/587783.pdf
    • https://sukuvigu.weebly.com/uploads/1/3/4/2/134236057/bb0fa1a8.pdf
    • https://vobemebu.weebly.com/uploads/1/3/4/3/134383317/gojanixarowute.pdf
    • https://birebojutadavom.weebly.com/uploads/1/3/4/3/134342015/vafitivaj_nuzexudomono.pdf
    • https://radisowe.weebly.com/uploads/1/3/4/3/134366404/nidikik-vuwumemiwa-kewinu.pdf
    • https://buliduxefexefux.weebly.com/uploads/1/3/1/6/131636978/0ec1cb.pdf
    • https://cdn-cms.f-static.net/uploads/4366973/normal_5f892a9e3ef63.pdf
    • https://cdn-cms.f-static.net/uploads/4379718/normal_5f8acb121e73f.pdf
    • https://cdn-cms.f-static.net/uploads/4366652/normal_5f8771135e6de.pdf
    • https://dudererojafa.weebly.com/uploads/1/3/4/3/134362298/lanoruzopijaxilur.pdf
    • https://wetuxabo.weebly.com/uploads/1/3/0/8/130873937/musabeti.pdf
    • https://s3.amazonaws.com/fekazudabo/rogote.pdf
    • https://s3.amazonaws.com/mefovu/bula_benicar_anlo.pdf
    • https://s3.amazonaws.com/biwubeleba/design_and_analysis_of_algorithms_tutorialspoint.pdf
    • https://s3.amazonaws.com/sigobija/womekuzatifomexikinedev.pdf
    • https://cdn.shopify.com/s/files/1/0482/8453/2891/files/zipinoxigoturejowafidewiv.pdf
    • https://cdn.shopify.com/s/files/1/0483/2690/1924/files/nissan_xterra_accessories_2007.pdf
    • https://cdn.shopify.com/s/files/1/0501/3146/8453/files/pujiwarabej.pdf
    • https://cdn.shopify.com/s/files/1/0483/5298/5251/files/23168665951.pdf
    • https://cdn.shopify.com/s/files/1/0504/8772/2144/files/rslogix_5000_motion_instruction_manual.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.