Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e01314be5103312…

MALICIOUS

PDF

53.7 KB Created: 2021-09-02 15:29:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: e70245f98462618cfddc75c538f23655 SHA-1: 30d8b9b00476db70f3c569f25a87c19fbf9d401b SHA-256: 0e01314be5103312c9486e192d8928eb823f8051eaf6ea83686223508b46feb9
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains an embedded URI pointing to 'smidgel.ru', which is likely a phishing or malware distribution site. The document body, though truncated and obfuscated, suggests a lure related to a Toyota Corolla service manual, a common tactic for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6963

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=toyota+corolla+2016+service+manual PDF link annotation
    • https://www.sudburyhighspeedinternet.ca/wp-content/plugins/super-forms/uploads/php/files/f9c9e0ae844a3826f00f90ba73deca9d/tewudarofakuwezuzo.pdfIn PDF document text
    • https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/815e74b57b07b7576e5e4eaad8470340/64006580974.pdfIn PDF document text