Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa1c2efda92611d3…

MALICIOUS

PDF

47.5 KB Created: 2020-12-06 12:45:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07a137b973ddd78cb2c77324b2cd73fa SHA-1: 928ccd580cb7b14bb0c53807222bc4af30ab8ee3 SHA-256: aa1c2efda92611d3e677b0983f742a2ede0fcc9d01b6b5ad908efcd3a61cd1ee
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by multiple heuristics, including a ClamAV detection and an ML classifier. It contains an embedded URI pointing to a suspicious domain, likely a phishing lure. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5282

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=general+publius+quinctilius+varus
    • https://bonunobomatujo.weebly.com/uploads/1/3/4/3/134318799/dasitidusala-sagirudas.pdf
    • https://gaburidukir.weebly.com/uploads/1/3/4/4/134463400/2f2e45ed6c166bf.pdf
    • https://uploads.strikin
    • https://uploads.strikinglycdn.com/files/2ad31a70-242d-4cd8-a042-4e53b3ddf9e9/zewatuzapevorigunanus.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.