Malicious PDF — malware analysis report

Static analysis result for SHA-256 4538c3a1486892a7…

MALICIOUS

PDF

50.6 KB Created: 2020-12-26 18:54:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 790d3d86ca5e01361928c66729ff1ceb SHA-1: dc7a6a65b917589bfd0c2ac2c169f8297af2cb33 SHA-256: 4538c3a1486892a74bbc5adbba11fe9b7b60709c60edf0399b11b59b6783a7b7
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF is identified as a phishing lure due to its image-only content and a clickable action. It contains a critical heuristic indicating it links to known malicious redirector infrastructure, specifically 'traffmen.ru'. The document also hosts a large number of external PDF links, many of which are benign, but the primary malicious link is the initial redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6878

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 50 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=alumni+portal+project
    • https://xelegiri.weebly.com/uploads/1/3/4/4/134435730/2002027.pdf
    • https://cdn-cms.f-static.net/uploads/4387411/normal_5fa143522f525.pdf
    • https://cdn-cms.f-static.net/uploads/4366359/normal_5f9fbb299179e.pdf
    • https://static.s123-cdn-static.com/uploads/4419623/normal_5fe1436e547e4.pdf
    • https://s3.amazonaws.com/pibabopuduj/vw_app_connect_android_2016.pdf
    • https://uploads.strikinglycdn.com/files/c9237c63-1a21-4139-97d8-61bdf673b5c2/danganronpa_1_characters_in_order.pdf
    • https://uploads.strikinglycdn.com/files/c324f30c-a31b-428a-bc76-129188d1e9ce/odyssey_of_the_mind_pin.pdf
    • https://uploads.strikinglycdn.com/files/77c595b1-f480-4631-afad-47a5dbdd8a03/the_smiler_with_the_knife_under_the.pdf
    • https://s3.amazonaws.com/zikeko/61895230842.pdf
    • https://s3.amazonaws.com/wuwabobujasivor/android_games_to_improve_analytical_skills.pdf
    • https://uploads.strikinglycdn.com/files/a6f1a97a-0cd3-4f9a-bd61-748c901d0646/buxutokulu.pdf
    • https://uploads.strikinglycdn.com/files/46e0bd3a-21cb-4226-af1b-5e2718caaacf/american_history_judith_ortiz_cofer_audio.pdf
    • https://s3.amazonaws.com/tadovu/5262243461.pdf
    • https://s3.amazonaws.com/kotodur/complete_or_incomplete_sentences_worksheet.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.