Malicious PDF — malware analysis report

Static analysis result for SHA-256 65e6abc7caebce4c…

MALICIOUS

PDF

37.6 KB Created: 2020-12-11 08:40:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d8e20b07737b78f45a423d41b64b31f0 SHA-1: 04d345743ca6d9e3a3047760a49e5579a5098d29 SHA-256: 65e6abc7caebce4c6a48a8449716dab95556e590a353ae921975764fdd91f2bf
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, a common tactic for phishing campaigns. It contains multiple external links, one of which, 'https://trafftec.ru/aws?utm_term=fajardo+estimate+guide', is flagged as suspicious. ClamAV detection further supports its malicious nature, classifying it as 'Pdf.Phishing.Trojan'. The presence of embedded links suggests an attempt to redirect the user to malicious sites or download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6328

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 37 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=fajardo+estimate+guide
    • https://cdn-cms.f-static.net/uploads/4368497/normal_5fb261678fafc.pdf
    • https://cdn-cms.f-static.net/uploads/4407997/normal_5fd27438c8407.pdf
    • https://devomejot.weebly.com/uploads/1/3/4/4/134491467/5221897.pdf
    • https://cdn-cms.f-static.net/uploads/4448341/normal_5fc360b82fcaf.pdf
    • https://cdn-cms.f-static.net/uploads/4416128/normal_5f96672fee67e.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf4d2f173fb5383b989de1/1606372656379/cargo_bridge_2_unblocked_games.pdf
    • https://static1.squarespace.com/static/5fc54c757d0c8f249d5e0aa3/t/5fcc599ac836a917f9030014/1607227803997/general_grievous_meme_gif.pdf
    • https://s3.amazonaws.com/juduk/nasavemiruzewaw.pdf
    • https://s3.amazonaws.com/jeworurowam/body_language_worksheet.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe12d62dd96f5918b628db/1606292182516/sutedi.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.