Malicious PDF — malware analysis report

Static analysis result for SHA-256 52d26d06e89da02c…

MALICIOUS

PDF

41.1 KB Created: 2020-11-25 18:34:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: cfee01e96e697dbe9a376289f4452d51 SHA-1: d71bc55ec4b03ac546b1a9bf3a36527a3cb1d7c0 SHA-256: 52d26d06e89da02c0d4bb05542df9c3afadc96cfb716a1cc409c4b173a5cd997
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'trafftec.ru', which is likely a phishing or malware distribution domain. The document body is heavily obfuscated and appears to be junk data, suggesting the primary malicious function is not within the visible text but likely through embedded scripts or exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6525

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=off+white+ikea+rug+dimensions PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4375361/normal_5f9df8a9e6c1e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368222/normal_5f87c2b03f842.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415331/normal_5fad9b0f57ad5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369146/normal_5f94b20111274.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389816/normal_5f9101a2b3dfe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459467/normal_5fada80ff423c.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33255228-c00a-4e13-a06d-3fdcf3b4e0f4/54345246176.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16f13bb8-6fd6-4538-b730-666290f69f4c/rififuk.pdfIn PDF document text
    • https://s3.amazonaws.com/gedesisumi/30766640915.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4bbb6123-b994-4ed8-9daf-eae101a769c7/domolozegikegirimeg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48da735d-9c39-4ac4-a42b-4c7d66630aee/72114162128.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa83ff3e-d546-49c9-ba30-947ea71e264e/warppls_5.0_free_download.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.