Malicious PDF — malware analysis report

Static analysis result for SHA-256 0301284b2a64160c…

MALICIOUS

PDF

67.6 KB Created: 2020-12-17 19:26:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 87a498ce2a417852bfc30ec3ea308805 SHA-1: 764e25edce78451a2f40b607fe86658185c457f2 SHA-256: 0301284b2a64160c0c32c073599a9226196cd5ea8a2209d62ba178b9b21693ab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The primary malicious URL identified is 'https://ggtraff.ru/strik?utm_term=active+assisted+movement+definition'. While no scripts were explicitly extracted, the PDF structure and the nature of the embedded link suggest an attempt to lure the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7455

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=active+assisted+movement+definition In PDF document text
    • https://uploads.strikinglycdn.com/files/f0e55779-5a9b-4bbd-8e50-9626b442f492/56351535004.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ba4d3a8-6d32-48b2-8b12-736950abb60e/95084457908.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5808cefa-0fdb-47e8-82f2-4f48a2a913a3/lexuwak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/65fdfaef-9d9e-40cc-b47d-8191c99dbfcd/53956780144.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4857581-949b-4eff-be61-ec15f5441876/split_movie_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/590e90b1-119c-4c94-b3d8-b1ccb3fdae10/navitech_navigasyon_indir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/52aaec61-b4b9-45d9-ba4f-113b6abb91e1/50285252962.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb60e3df-5b99-4305-8933-6ef78f342cd8/97276390550.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d44e8068-9c5d-4bc2-8b0e-c16114385bcd/puzajib.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc6b5cb161f8068bec97957/t/5fcd0d230ab5d62febf6f957/1607273775654/f1_tv_coverage_canada_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51b24e67-6a35-4ccb-9b37-413b993ed0b7/zavawadebokatowumolikige.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc645e29955c744b55fee38/t/5fd0556c26d54b3c06cfccf4/1607488877295/4460902106.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c19f9834-4d7b-4299-aa1e-945db5f2e437/30274255122.pdfIn PDF document text