Malicious PDF — malware analysis report

Static analysis result for SHA-256 0655f71362fd243a…

MALICIOUS

PDF

60.9 KB Created: 2021-08-14 12:06:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: a14ac149138d6b8870fc1ec917d41be3 SHA-1: 3eff6a3b00c4a8ce4f091943784337b30a40ff98 SHA-256: 0655f71362fd243a4a49b1aabc7c0edf07d24d563c55f4211605d1a63fe2f722
72 Risk Score

Malware Insights

The file is a PDF containing embedded JavaScript, which is a common technique for delivering malicious content. The ClamAV detection and the presence of multiple unknown URLs suggest a phishing or malware distribution attempt. The embedded JavaScript likely facilitates the download and execution of further malicious payloads.

Machine Learning

  • Nyx PDF Classifier clean score 0.2366

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://volvo-cars.jp/js/upload/files/37960669668.pdf In PDF document text
    • http://www.insurancedirectcanada.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1610945bac816e---54189639943.pdfIn PDF document text
    • http://portaldo.eu/contenuti/upload/file/89433911935.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=how+to+create+an+effective+sales+compensation+planPDF link annotation