Malicious PDF — malware analysis report

Static analysis result for SHA-256 83158fa5da06d9f7…

MALICIOUS

PDF

58.6 KB Created: 2020-12-11 18:43:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 0e0a459f05f57ba252a322e6d56824f3 SHA-1: 7b068d2d3ce2621b2c8e7c788a413750534c86f5 SHA-256: 83158fa5da06d9f7cd228160fbaff13cdc86b8e9fc119b45c75a2e53445807c0
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a heuristic indicating an external URI, specifically 'https://traffset.ru/aws?utm_term=code+blocks+turbo+c'. ClamAV also detected the file as 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0', suggesting a phishing or trojanized document. The document body, though heavily obfuscated, contains text related to 'Code blocks turbo c' and 'wkhtmltopdf', likely serving as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6654

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=code+blocks+turbo+c PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366057/normal_5f885cff4f20c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383327/normal_5fc98f25e29e4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369141/normal_5fa8a3ac6b4a5.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc6f7a381da8a590dadce4a/t/5fc8d1a97ff5a343ebfe960b/1606996393796/3661188546.pdfIn PDF document text
    • https://s3.amazonaws.com/penefelomiju/hamilton_beach_6_slice_easy_reach_toaster_oven_with_convection_reviews.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc5ada1c89e1c4b8fdf3d5c/t/5fc9feee85627875175fe0f8/1607073519437/vagegefewelof.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc65581a13a450bab197ba5/t/5fccc967a87f9f1b19d6e475/1607256423664/letting_the_car_idle_meaning.pdfIn PDF document text
    • https://s3.amazonaws.com/tulosa/agradecimiento_por_felicitacion_de_cumpleaos_formal.pdfIn PDF document text
    • https://s3.amazonaws.com/novifamigot/desunumora.pdfIn PDF document text
    • https://s3.amazonaws.com/sorogamat/kugofunokelubuzav.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc10f47bd14ff0dd29d9327/t/5fc5b9f7fa04221c71e65f0b/1606793722213/26871495148.pdfIn PDF document text