Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4ad3deed9ea2959…

MALICIOUS

PDF

156.6 KB Created: 2020-11-21 11:49:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: df4c718eaaa9029d40c56e265f4a1040 SHA-1: 95d8e6addfb3253b07e00ac8d2490aedfcc3dd56 SHA-256: a4ad3deed9ea2959bd2dcf6a5a217f2aa26a663dbf077a6149423d763823bef2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a heuristic indicating an embedded URI pointing to 'traffset.ru', which is flagged as unknown reputation. The document body, though heavily obfuscated, contains text fragments that suggest a lure related to 'online book reading'. The ClamAV detection and ML classifier strongly indicate maliciousness, likely related to phishing or trojan delivery via the embedded URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9890

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=online+boek+lezen+zonder+en PDF link annotation
    • https://gimelasu.weebly.com/uploads/1/3/4/5/134513778/7847107.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6f0e453-f386-4098-b00d-f265d1cbc969/example_of_radiation_in_heat_transfer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3f7e90f-05cc-4759-9827-56a371d84e77/75210637761.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2b08866-5874-4f02-bf73-891000d7ccca/vogojawuxix.pdfIn PDF document text
    • https://s3.amazonaws.com/votubukaxogilix/turkish_march_sheet_music_piano.pdfIn PDF document text
    • https://s3.amazonaws.com/jirebonudur/kotafumakaxofokedikules.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/345ef73a-dc11-450f-9aa4-db922bc1ff2f/vavixav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01216075-0c62-4496-964d-893eab0a6f27/facebook_lite_apk_pour_epol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c8e2e17-b36a-496b-9a2d-eb89dcb3e6f7/nexedowugozodabede.pdfIn PDF document text
    • https://s3.amazonaws.com/pazovugal/123_movies_mail.pdfIn PDF document text
    • https://s3.amazonaws.com/xezonijida/xaxuwodilozalulap.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.