Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e603f4c0e3eac31…

MALICIOUS

PDF

18.6 KB Created: 2020-11-02 03:34:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: ef0b436ecde548c261acacee8c6332ff SHA-1: b494a8827419b9815168930b9604cf8329719e9d SHA-256: 3e603f4c0e3eac313851e4dd6257c7d27ba13c50e6b302939234bd3bfaf097bc
152 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded links, including one pointing to a known malicious redirector at 'https://cctraff.ru/aws?keyword=lego+mars+mission+game+crystalien+conflict'. The document's structure suggests it is part of a link farm designed to drive traffic to potentially malicious sites. While no scripts were explicitly extracted, the presence of embedded links and the ML classifier's high confidence indicate a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=lego+mars+mission+game+crystalien+conflict In PDF document text
    • https://cdn-cms.f-static.net/uploads/4407301/normal_5f932cd8d942c.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b06cf8e7-a232-42c5-9cac-0c0673b4fd21/tomabuwonenenatorid.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/6833/3471/files/20984149546.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d5e29ba-b8fe-4de3-8cb4-eeda54619848/nature_scavenger_hunt.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0495/7804/9692/files/vomaralijivewozaju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/336030a0-c1db-4fdc-b732-8d7a8883fbc0/pdf_le_petit_prince.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/6383/6834/files/89526308129.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d81f3e7d-e310-4138-8166-75475821d69b/estados_de_agregacion_de_la_materia_plasma.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9b0c14a8-8125-4c88-b181-da6649ff5590/kikaxenelopo.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.