Malicious PDF — malware analysis report

Static analysis result for SHA-256 b09b41e658b64e2c…

MALICIOUS

PDF

100.2 KB Created: 2021-01-06 21:55:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 173f55e87eb95e9a93d38238fc581438 SHA-1: 68e0673972deb32ef25d1d81636f537740d9c6ab SHA-256: b09b41e658b64e2c5ce9006fbd5b4409dec4dc8a4245dfb664929571213ad0ba
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as malicious and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The embedded URL, https://traffine.ru/aws?utm_term=zoster+ophthalmicus+guidelines, likely serves as a lure to a phishing or malware distribution site. No scripts were extracted, but the presence of a malicious redirector strongly suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.1056

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=zoster+ophthalmicus+guidelines In PDF document text