Malicious PDF — malware analysis report

Static analysis result for SHA-256 13415a7ed47aa89f…

MALICIOUS

PDF

159.7 KB Created: 2021-07-14 10:26:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: ec81d3a321853e9831a982abd6978eef SHA-1: eac58c9a0e04c4d999625aec4ce7ebfda485e18e SHA-256: 13415a7ed47aa89fbb974a44486de9fa039d78f07f17f4d2a6acdaa1adcef1ec
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV, indicating it's a Pdf.Phishing.Trojan. It contains embedded URIs, one of which points to a raw IP address on a compromised web server, likely serving as a download source for the malware. The presence of a Google feed-like URL is a common lure tactic in phishing campaigns.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3790

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xboxheerlen.nl/userfiles/file/13723911860.pdf In PDF document text
    • http://huile-de-nigelle.info/userfiles/file/diniwinomudo.pdfIn PDF document text
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/160801747a47c3---ruxafut.pdfPDF link annotation
    • http://global-gypsum.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084a6148504e---15490985232.pdfIn PDF document text
    • https://cometsecurity.in/admin/userfiles/file/2572114547.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=law+of+chemical+periodicityPDF link annotation