Malicious PDF — malware analysis report

Static analysis result for SHA-256 25cb8ded60a586e9…

MALICIOUS

PDF

64.0 KB Created: 2021-07-06 04:25:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: 7c8309e92673c3bf6abfcdc83d54ab46 SHA-1: 75224c960956a4222b421564a2ae3cf96852b9ef SHA-256: 25cb8ded60a586e9bd839f52520fc13db1d4af784f23665da6666a4b129b5d77
94 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan and also flagged by an ML classifier, indicating malicious intent. The presence of an external URI suggests it may be used to download a secondary payload or redirect the user to a malicious site. The PDF structure and exploit detection point towards exploitation for client execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5002

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/fzgW7-mxBc0/uplcv?utm_term=labor+and+monopoly+capital PDF link annotation