Malicious PDF — malware analysis report

Static analysis result for SHA-256 84f15a7d4ed9c4ce…

MALICIOUS

PDF

37.8 KB Created: 2020-10-05 06:52:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 8e66d37acca4f288e2e98767035f8027 SHA-1: 489832e6f9201463ff2631ddbdde5397a7ae8bda SHA-256: 84f15a7d4ed9c4ce3c80fc26b7ff1de650f5234404f599791b1de294bb44a2a0
152 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, including a critical redirector link to 'cctraff.ru', which is flagged as malicious. The document body, though heavily obfuscated, contains text suggesting it is a search result for a book, indicating a lure to a malicious site. The presence of a link farm heuristic further supports the malicious intent of directing users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9895

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=andrew+cardwell+rsi+book+pdf+free In PDF document text
    • https://site-1039748.mozfiles.com/files/1039748/97753692040.pdfIn PDF document text
    • https://site-1039229.mozfiles.com/files/1039229/ruzikuvivuvoron.pdfIn PDF document text
    • https://site-1040250.mozfiles.com/files/1040250/68143027249.pdfIn PDF document text
    • https://site-1043694.mozfiles.com/files/1043694/xitev.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/3397/1866/files/nickel_and_dimed_questions_and_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8fd86826-7adb-4d01-9b12-258ca20fd5ea/rorixorej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/99d1521e-73df-4f0a-b39e-a332730df2a3/lajuxireguxe.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/1368/7464/files/65775506493.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/9181/0717/files/68369845396.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/segexazizabojoduvaw.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0495/5239/2344/files/traditional_bowyers_bible_complete_set.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.