Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d1a22b14ba9702f…

MALICIOUS

PDF

23.6 KB Created: 2020-10-27 08:45:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 667f7d8cf3a0a5fa7aa644cfd414e15d SHA-1: 291bb40ab0036e937ba1749c097733d97ab56ef6 SHA-256: 7d1a22b14ba9702fbdaa4c1d29eb56325237bcaa94fdfcf3246d406b9e6d7f54
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link disguised as a search result for a cheap Wii console, which redirects to a malicious URL. The PDF also functions as a link farm, containing numerous links to other PDF documents, likely for SEO manipulation or to host further malicious content. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=wii+console+for+sale+cheap
    • https://cdn-cms.f-static.net/uploads/4366351/normal_5f8c43bbc1a39.pdf
    • https://cdn-cms.f-static.net/uploads/4413111/normal_5f96363d1ce9f.pdf
    • https://cdn-cms.f-static.net/uploads/4386080/normal_5f8db3d61c50a.pdf
    • https://cdn-cms.f-static.net/uploads/4379038/normal_5f8d67c5c8f80.pdf
    • https://s3.amazonaws.com/jeromopelurab/tuberculosis_cenetec.pdf
    • https://s3.amazonaws.com/pugomonapoxuxe/70040169322.pdf
    • https://s3.amazonaws.com/wonoti/mazirosizub.pdf
    • https://s3.amazonaws.com/fibesezati/35311895156.pdf
    • https://s3.amazonaws.com/xebuvuwov/oxford_dictionary_of_english_download.pdf
    • https://cdn.shopify.com/s/files/1/0498/0801/5523/files/nba2k20_apk_and_obb.pdf
    • https://cdn.shopify.com/s/files/1/0479/6629/0076/files/libro_ingles_7_basico_2020.pdf
    • https://cdn.shopify.com/s/files/1/0439/0515/5227/files/18961107788.pdf
    • https://cdn.shopify.com/s/files/1/0268/8391/5962/files/airtel_thanks_apk_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/3071/5288/files/fejolixawepipabux.pdf
    • https://uploads.strikinglycdn.com/files/5b8f4b51-3eab-420c-8844-62df912d0e7c/rofejurodikimufoxevexi.pdf
    • https://uploads.strikinglycdn.com/files/dd5d3c42-e5f4-485f-9beb-9f082199366c/23739225642.pdf
    • https://uploads.strikinglycdn.com/files/e9b92352-ecde-461e-9122-41f5a24881c6/zuvif.pdf
    • https://s3.amazonaws.com/felasorarabipis/understanding_architectural_drawings_a_guide_for_non-_architects.pdf
    • https://s3.amazonaws.com/henghuili-files/99527790168.pdf
    • https://s3.amazonaws.com/jamokaroxoj/aldosterona_y_potasio.pdf
    • https://s3.amazonaws.com/dujepav/organizational_behaviour_and_management_martin_fellenz.pdf
    • https://s3.amazonaws.com/mijedusovineti/35213314613.pdf
    • https://s3.amazonaws.com/fuwenoxuzasila/51984850885.pdf
    • https://s3.amazonaws.com/kovilowab/vumoxasid.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.