Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9795cd21e5a14f9…

MALICIOUS

PDF

75.6 KB Created: 2020-11-03 11:44:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5df4b153e145abb9f6098bdf4ff4e9e5 SHA-1: 214233cb49639c02bebea878c307e4c00d203f52 SHA-256: d9795cd21e5a14f91dfceb88ac9fe399dc555ee26675d9295a725d3b4e802939
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, including one pointing to a known malicious redirector. The heuristic firings indicate this PDF is designed as a link farm, likely to direct users to malicious sites. The presence of a link to 'cctraff.ru' suggests an attempt to redirect users to potentially harmful content, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=britney+spears+if+you+seek+amy+lyrics
    • https://mazaxijav.weebly.com/uploads/1/3/4/4/134488449/sovov-tijamot-pomudo-gavose.pdf
    • https://relupopakamon.weebly.com/uploads/1/3/4/4/134455445/3829b0b18ebd47.pdf
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/9653445.pdf
    • https://sapigufebo.weebly.com/uploads/1/3/4/5/134592603/c086d688fe5ea40.pdf
    • https://cdn-cms.f-static.net/uploads/4369914/normal_5f8c636cddc48.pdf
    • https://sebiwijojemobod.weebly.com/uploads/1/3/4/0/134097571/8742736.pdf
    • https://vodipewelo.weebly.com/uploads/1/3/1/6/131637384/487738.pdf
    • https://sapigufebo.weebly.com/uploads/1/3/4/5/134592603/fapavugobo.pdf
    • https://cdn-cms.f-static.net/uploads/4368969/normal_5f91d79039c6e.pdf
    • https://dejolezeg.weebly.com/uploads/1/3/2/8/132815968/78aa168b.pdf
    • https://cdn-cms.f-static.net/uploads/4386605/normal_5f95f7bccf672.pdf
    • https://s3.amazonaws.com/juvetaso/rafepigozazalomev.pdf
    • https://s3.amazonaws.com/kavitokolezub/bopalik.pdf
    • https://s3.amazonaws.com/tadevewuju/74553238647.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.