Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b37f1e803a43ad8…

MALICIOUS

PDF

54.7 KB Created: 2021-04-13 08:57:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09c6504bcbb8c9eaf94900c36800a3b3 SHA-1: 1ca6d46dc022fd782f4730c2008e619e7e6c0a23 SHA-256: 3b37f1e803a43ad8ba0ea126eaf422c7daac31cdc33a7535caebfab7305628ad
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains embedded URLs that point to potentially malicious domains, suggesting a phishing or credential harvesting attempt. No scripts were extracted, but the presence of external URIs and the overall detection profile suggest the document is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6699

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pbttphtk.gov.my/sites/default/files/webform/73261430544.pdf
    • https://www.mainephilanthropy.org/sites/default/files/79141676299.pdf
    • https://ambrose.edu/sites/default/files/webform/85138354947.pdf
    • http://oaklandchildcare.org/sites/default/files/webform/bidepe.pdf
    • http://spotlight-sites.com/sites/default/files/webform/jalipoxelelikepobolid.pdf
    • https://ambrose.edu/sites/default/files/webform/7968200385.pdf
    • http://www.guninetwork.org/system/files/webform/heirri_proposals/80098342864.pdf
    • http://www.muttypawsacademy.com/sites/default/files/webform/vaccines/40041164747.pdf
    • https://www.visitsavannah.com/sites/default/files/webform/59391310887.pdf
    • https://www.jsif.org/sites/default/files/webform/vinuriruxelapaviwona.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=tabela+acordes+diminutos+viol%25C3%25A3o
    • https://www.vub.be/sites/vub/files/webform/16824703900.pdf
    • https://community.princeton.edu/system/files/webform/fivedexexefo.pdf
    • https://ec.europa.eu/eip/agriculture/sites/default/files/webform/77241298986.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.