Malicious PDF — malware analysis report

Static analysis result for SHA-256 af5c8a9f2c1335d5…

MALICIOUS

PDF

84.6 KB Created: 2020-11-13 08:11:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 9b295b7c35ea7d144b7e5eb5cce4652c SHA-1: f7969c3286e0e7bf72a745a14ac1181096befd09 SHA-256: af5c8a9f2c1335d504fd5d3ed91ad39b30bb5d503ecc9e1432370ee51f9575db
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a malicious redirector and part of a link farm, aiming to direct users to harmful sites. The embedded URL `https://cctraff.ru/aws?utm_term=mcgraw+hill+connect+homework+answers` is flagged as malicious. The document body, though heavily obfuscated, suggests a lure related to 'mcgraw hill connect homework answers', reinforcing the phishing or malware distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8859

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?utm_term=mcgraw+hill+connect+homework+answers In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379048/normal_5f94984ee4c9f.pdfIn PDF document text
    • https://zinixukugezevul.weebly.com/uploads/1/3/4/6/134612333/6890329.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416791/normal_5f9d3b9dc1905.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/fd3766ee-0762-48a1-8d1a-056733a9cf79/13108500010.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e57e1c28-3f69-4480-920b-d55fe84f695a/56414515769.pdfIn PDF document text
    • https://s3.amazonaws.com/rawesaragegugar/39907736477.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a186c9ef-272f-496b-8a9d-ceb76dc9d2e5/gidizo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c69fcd40-7f39-45ca-a90e-02b10d011c21/70764027177.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d5f48ee-9014-476e-9d66-b1f831896aeb/paliwuladexaki.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2f3bd35-1e96-4da1-8ccd-e09ff1e3068c/kezogovewibipumokevojoki.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001395d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1395D 5376 bytes
SHA-256: 4e912693251c369f70bfecf929f9a900c888257a1fddfd6fbb0e11c6347d1fe8

Open this report in the interactive analyzer, or submit your own file for analysis.