Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f787c4fe96e9f65…

MALICIOUS

PDF

41.6 KB Created: 2021-01-13 01:44:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 431360077713e4747650e9fe48edad14 SHA-1: a40b32007e46728940e2fff9bbccdc6314d27cb0 SHA-256: 3f787c4fe96e9f65f1b90e82576e23efd864fd870365677e65f1b5b278ac8e3e
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains heuristics indicating it is a phishing document using an image lure to redirect users to a malicious URL. The embedded URL and the document body, despite being heavily obfuscated, suggest a lure related to "Coursera corporate finance quiz answers" to entice clicks. The primary IOC is the redirector URL which likely leads to a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8113

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?utm_term=coursera+corporate+finance+quiz+answers PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4381294/normal_5fd191802b412.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4497368/normal_5fdfc78ed6b81.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4474723/normal_5ff6b87f4cb72.pdfIn PDF document text
    • https://site-1179918.mozfiles.com/files/1179918/fatca_reporting_deadline_2019_luxembourg.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372987/normal_5f9a581c83cb8.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446643/normal_5ff8dc1e2895b.pdfIn PDF document text
    • https://cdn.sqhk.co/rajexizeba/bjdjhfL/33941813772.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4365628/normal_5ff4ccb7e81c3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386829/normal_5f95da3c2e7c0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4373527/normal_5fdd7c081535f.pdfIn PDF document text
    • https://site-1197012.mozfiles.com/files/1197012/21062301537.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4366973/normal_5ffd008533f6e.pdfIn PDF document text
    • https://cdn.sqhk.co/fifapupifig/gjenXih/83568728696.pdfIn PDF document text
    • https://s3.amazonaws.com/pokorevalaxex/get_email_template_magento_2.pdfIn PDF document text
    • https://s3.amazonaws.com/gosete/50495474321.pdfIn PDF document text
    • https://s3.amazonaws.com/rawesaragegugar/kejevivabidozemeda.pdfIn PDF document text
    • https://s3.amazonaws.com/xufaxoferugod/call_of_duty_mw3_size.pdfIn PDF document text