Malicious PDF — malware analysis report

Static analysis result for SHA-256 87b72b77bb095893…

MALICIOUS

PDF

42.4 KB Created: 2020-11-10 19:14:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f17a2cac3d128d5ee9b3b234ca159c8 SHA-1: 6ba9f2237bc0622c2440c909e70829e388a9fb9a SHA-256: 87b72b77bb0958931296b9c22dd52b553288ec144f08d4182c29d1fdfcff42be
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document is identified as malicious due to its structure and embedded links. The heuristics indicate it's an image-only lure designed to trick users into clicking a link, which is confirmed by the presence of a malicious redirector URL. The document likely serves as a phishing or malware delivery mechanism by redirecting users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6525

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 42 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=now+it+can+be+told+leslie+groves
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/dozafawegikuxoto.pdf
    • https://mixorone.weebly.com/uploads/1/3/1/4/131438240/4053217.pdf
    • https://cdn-cms.f-static.net/uploads/4383704/normal_5f95ad8d0f7ad.pdf
    • https://gurigibafex.weebly.com/uploads/1/3/0/7/130739571/6704921.pdf
    • https://cdn-cms.f-static.net/uploads/4393044/normal_5f92802fbb916.pdf
    • https://nobinetezo.weebly.com/uploads/1/3/0/9/130969761/3b0ba99ac7.pdf
    • https://cdn-cms.f-static.net/uploads/4384839/normal_5f9873ee0d321.pdf
    • https://bijifejutumaxob.weebly.com/uploads/1/3/1/3/131381781/buwazefuladu.pdf
    • https://cdn-cms.f-static.net/uploads/4445119/normal_5fa9bb7e34650.pdf
    • https://s3.amazonaws.com/kevava/black_and_decker_spotlight_manual.pdf
    • https://s3.amazonaws.com/jijumupade/west_branch_soccer_field.pdf
    • https://s3.amazonaws.com/jaxesabi/buddhahood_without_meditation.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.