Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbd7cf9cd36b28f7…

MALICIOUS

PDF

49.6 KB Created: 2020-11-13 04:41:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 20e5b85c1eb47afae20ff6417ab6be2a SHA-1: d611698c5dd8bf1a3b0bc2794098d5b3a92339e0 SHA-256: dbd7cf9cd36b28f7e1846ad64b4819cb670b3ba1ee8c751320c68297b02d0f5c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by multiple heuristics and a machine learning classifier. It contains an embedded URI pointing to 'traffine.ru', which is suspicious. The document body, though partially garbled, suggests a lure related to a tourist guide, likely intended to trick the user into visiting the malicious URL for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9421

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=ile+de+r%25C3%25A9+guide+touristique PDF link annotation
    • https://s3.amazonaws.com/potevip/basic_computer_engineering_mcq.pdfIn PDF document text
    • https://s3.amazonaws.com/wipotegadodorek/92075109456.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/42423464739.pdfIn PDF document text
    • https://s3.amazonaws.com/zikeko/carcinomatose_peritoneal.pdfIn PDF document text
    • https://s3.amazonaws.com/rupatojuko/manual_cup_style_citrus_juicer.pdfIn PDF document text
    • https://s3.amazonaws.com/vavabi/vtech_cs6929-4_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/vuliwisuwig/89654134090.pdfIn PDF document text
    • https://s3.amazonaws.com/rujimidujek/ruruwofasibekegon.pdfIn PDF document text
    • https://s3.amazonaws.com/vasagesorajirem/77818551808.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a08c9592-c947-4a18-9cbc-bcc14796c072/tonaxagaji.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f08617d4-bd90-49c8-8033-f8c262747373/janome_15000_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/wizedumi/theories_of_deviance.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/96599043922.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/60974156226.pdfIn PDF document text