PDF malware analysis — malicious · 65be643eb9dad36c

MALICIOUS

PDF

84.6 KB Created: 2020-11-28 06:08:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3fe1dd1485131fa84ab7efc43b459d2a SHA-1: 44200fde5531103e3a8c0b7ecc7f6ea11842f20b SHA-256: 65be643eb9dad36c9a0bf6df391071726f326e978d9b0ef5f28c2963576794c6

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is a PDF document identified as malicious by ClamAV and contains a critical heuristic firing for a redirector link. The embedded URL, https://traffmen.ru/strik?utm_term=left+4+dead+hunter+costume, is flagged as malicious. While no scripts were explicitly extracted, the PDF structure and the presence of a malicious redirector strongly suggest an attempt to lure the user to a harmful site, likely for phishing or to download further malware.

Machine Learning

Nyx PDF Classifier clean score 0.1730

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://traffmen.ru/strik?utm_term=left+4+dead+hunter+costume

Open this report in the interactive analyzer, or submit your own file for analysis.