Malicious PDF — malware analysis report

Static analysis result for SHA-256 03b3d7d7eb59060b…

MALICIOUS

PDF

50.6 KB Created: 2020-11-29 05:41:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc37369ec88f99e30269c3620d515053 SHA-1: 2c991748eaf20ae4a32583aa21759596c400367e SHA-256: 03b3d7d7eb59060b8905641264cb43186bb53df9dfe74d05fd2e59fe42baf2db
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as malicious by multiple heuristics and ClamAV, specifically flagging it as a phishing trojan. The 'PDF_IMAGE_LURE' heuristic indicates it's an image-based document designed to trick users into clicking an embedded link. The primary malicious URL found is `https://trafficel.ru/strik?utm_term=no+data+service+temporarily+not+offered+by+the+mobile+network+at+your+location`, which is likely used to deliver a secondary payload or redirect to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5897

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 50 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=no+data+service+temporarily+not+offered+by+the+mobile+network+at+your+location
    • https://cdn-cms.f-static.net/uploads/4366628/normal_5f873b9060569.pdf
    • https://cdn-cms.f-static.net/uploads/4454990/normal_5fa5565ac8a03.pdf
    • https://cdn-cms.f-static.net/uploads/4460231/normal_5fa3b55b6c5d9.pdf
    • https://xumuxurubaxuk.weebly.com/uploads/1/3/4/5/134501003/jofobap.pdf
    • https://gekeforoka.weebly.com/uploads/1/3/1/4/131438206/rabonoxakiw.pdf
    • https://palekamenagogu.weebly.com/uploads/1/3/2/6/132682235/migexiw-joxalotu-xudefowi.pdf
    • https://mibuxinuk.weebly.com/uploads/1/3/4/7/134753888/berezuguligatuwezak.pdf
    • https://uploads.strikinglycdn.com/files/357e6c4d-8f83-43e2-813a-c43d3756b665/japalifenikavu.pdf
    • https://s3.amazonaws.com/tetazino/42504166907.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.