Malicious PDF — malware analysis report

Static analysis result for SHA-256 be1d5a434a792519…

MALICIOUS

PDF

52.6 KB Created: 2020-12-20 22:24:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: d448258c438a1d0f23de2784a5d773a4 SHA-1: 5993ba6f2cef4352a2fe1f4f21ce83af7995229f SHA-256: be1d5a434a792519df08e3367df15fae1ab66dfcb3ee69f76bbdc968e786cbb7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a heuristic firing indicating a link farm, with one prominent URL leading to 'trafffe.ru'. The document body, though heavily obfuscated, contains references to 'Clash of Clans update mod apk', suggesting a lure to download malicious content. The presence of external links and the ML classifier's flagging further support a malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7015

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=clash+of+clans+update+mod+apk PDF link annotation
    • https://tivakoxidedopa.weebly.com/uploads/1/3/0/7/130776298/87313b0f4c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470836/normal_5fad5a078080c.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea3cefed-49ab-458f-855e-791d20984e93/kogowufuzi.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf6139f81c9a2a0c99e150/1606377800818/general_psychology_multiple_choice_questions_and_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f874a737-c0ea-4897-b61d-f754bab539fb/wonibajexufisavojaxiwap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa3c4f33-ef17-4582-adbf-ac4f4fccfd3b/29473586126.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf6cb2f3de5e49b55cfb10/1606380723074/miwifoxosalijavenusazibo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc7a10c10d6a92a736d2eaf/t/5fd7418ae5ac5828963daf90/1607942538540/mopexoridesofa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a0aa509-1f15-4c41-aba3-2da380f7ae25/90605312572.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e2ed17e7202640ea1bf0/t/5fc137f57acac6192aed0bad/1606498293789/how_to_cancel_a_payment_on_paypal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a6c66e2-f572-4e29-b0f1-ac7a90f3bd91/niro_kia_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f6b9bf8-a231-4336-a6cb-00951e035c40/ao_haru_ride_live_action_actor.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.