Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c45e0484a45aadc…

MALICIOUS

PDF

47.6 KB Created: 2021-09-12 02:57:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5fa235ed773203c44f64873447a86cd9 SHA-1: 55b49ba206739178ac8e1670f901daebec6c7296 SHA-256: 2c45e0484a45aadc015c91d516e2c33a417c0f1780e80d382e35d6a85002b9b1
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV heuristic identified this PDF as malware, specifically a phishing trojan. The PDF contains an embedded URI pointing to 'pistant.ru', which is likely used to redirect the user to a malicious site. The presence of multiple other PDF URLs suggests a pattern of hosting malicious content on compromised or attacker-controlled domains.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4184

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=thea+stilton+and+the+mystery+in+paris+read+online+free
    • https://chogmai.org/ckfinder/userfiles/files/9085316946.pdf
    • https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/24a7a839b40bf7134551f974a7943bd8/wugasamuduveximogat.pdf
    • http://kristiankutschera.de/userfiles/file/80157044021.pdf
    • http://cuuhoatudong.com/upload/files/33907819768.pdf
    • http://deborahkay.com/ckfinder/userfiles/files/gifazewivowisuniraxajal.pdf
    • http://adasbruiloften.nl/userfiles/file/13594614609.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.