Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e7f92b694b1ae08…

MALICIOUS

PDF

11.7 KB Created: 2019-03-13 17:33:01 +03:00 Authoring application: dompdf + CPDF
MD5: 46935feef526daa1473b337027483fec SHA-1: f8bc30aa889be22e0b29202d060236d5a6c610e8 SHA-256: 1e7f92b694b1ae082730a6b44536d44b251d85d8fa8f6a07c818e02f43e5d364
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains embedded URLs, identified by the PDF_URI heuristic. The ClamAV detection indicates it is known malware, specifically Pdf.Phishing.Emotet0-7413057-0. The SE_INVOICE_LURE heuristic suggests the document's content is designed to trick the user into interacting with the embedded links, likely leading to a phishing or malware download site. No scripts were extracted from this sample.

Heuristics 5

  • ClamAV: Pdf.Phishing.Emotet0-7413057-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Emotet0-7413057-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://design.ftsummit.us/wp-includes/ya1w-nhg7bf-ljopsa/
    • http://design.ftsummit.us/wp-includes/ya1w-nhg7bf-ljopsa/?InvoiceType=Regular&date=3-1-
    • http://design.ftsummit.us/wp-includes/ya1w-nhg7bf-ljopsa/?type=Regular&date=1-1-19_3-13-

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000288.bin
b85591118a83d885ac2023e0b1c85201fde8977e6e787cfbf89a4bc38eaa8a80		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x288 20231 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 50 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.