Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c648202f903ed82…

MALICIOUS

PDF

91.0 KB Created: 2020-12-03 19:59:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f180ebb924f880b8498e65ad54c8b7c4 SHA-1: b5a2fc06b60074d87074e4347ca6e22be8c09784 SHA-256: 5c648202f903ed82f352d730b57f7738fc4fc950e5896b0ec41d87b83399b757
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by multiple heuristics and a machine learning classifier. It contains an embedded URI pointing to 'trafffe.ru', which is highly suspicious. The document body, though heavily obfuscated, suggests it is a PDF file. The presence of an external URI in a PDF, coupled with high-risk detection scores, indicates a likely phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8797

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?utm_term=evangelio+de+san+marcos+completo+hablado
    • https://cdn-cms.f-static.net/uploads/4379054/normal_5f920dff03719.pdf
    • https://cdn-cms.f-static.net/uploads/4366371/normal_5f874307868d8.pdf
    • https://cdn-cms.f-static.net/uploads/4405660/normal_5fba80c996472.pdf
    • https://cdn-cms.f-static.net/uploads/4416316/normal_5fa735fa21ddc.pdf
    • https://static1.squarespace.com/static/5fc57c6e085bf90c0e1c1b48/t/5fc8181e4b97230d05fef039/1606948903035/super-_pixel_segmentation_time.pdf
    • https://static1.squarespace.com/static/5fc0dd131452f90b7fe52ecb/t/5fc38337e6d49a06bbffb9f0/1606648633004/mary_janes_last_dance_harmonica_lesson.pdf
    • https://s3.amazonaws.com/henghuili-files/lilidezev.pdf
    • https://uploads.strikinglycdn.com/files/9381e00e-f786-49af-8b6b-139b2280b019/btd_5_apk_mod_ios.pdf
    • https://s3.amazonaws.com/vapite/vekunujugifokutowavu.pdf
    • https://uploads.strikinglycdn.com/files/33cc2f7b-b8f9-4982-992a-b5eb30676e51/zovepex.pdf
    • https://s3.amazonaws.com/sesafefanulokam/natwest_sending_a_chaps_payment_form.pdf
    • https://uploads.strikinglycdn.com/files/a8f0a9cf-bb32-4337-871e-098d7b7e18c6/how_to_get_straw_and_glass_in_skyrim.pdf
    • https://static1.squarespace.com/static/5fc2bd98403f5353fda1b0ca/t/5fc76817b7521d608a45a25e/1606903832379/bullet_echo_hack_script.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.