Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1c15f5479c726ff…

MALICIOUS

PDF

44.0 KB Created: 2020-12-16 06:30:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: d3e8734779d66ecf5d153ae442a18cd9 SHA-1: 031529721f32565dfe7093d4299461cda51b62e2 SHA-256: b1c15f5479c726ffdec8a4c6fce873619eed194d6e8b97b7cd302a660dfde001
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating a malicious redirector link. The ML classifier also flagged the document as malicious. The embedded URL, 'https://traffine.ru/wb?keyword=rf%20online%20grenade%20launcher%20ammo%20guide', is the primary indicator of malicious intent, likely leading to a phishing or malware download site. No scripts were extracted, but the PDF structure itself facilitated the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6253

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/wb?keyword=rf%20online%20grenade%20launcher%20ammo%20guide In PDF document text
    • https://cdn-cms.f-static.net/uploads/4426541/normal_5fbe2a8b31cf3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477138/normal_5fb300671b40f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373016/normal_5fbb54181ba4b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383795/normal_5f8d66759cb2b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380854/normal_5fa38ec0ac801.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376875/normal_5f9727fd58d97.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366044/normal_5f89c0a3c3802.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc5451ac30a162e0c6f580a/t/5fcc0b07978da30c56ea8323/1607207687487/suzepupabamaxuwapeduloz.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc6675ec14dfd36fe172514/t/5fd1b37eebc7ce75e8b0804c/1607578502710/dezisujulusofixasogini.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc4bfa2bd14ff0dd2b5522a/t/5fd225e4871f8c6e596551c4/1607607780402/exorcist_3_director_s_cut.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcffef64be903ae640d435/1606221809102/95538336378.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.