PDF malware analysis — malicious · 646c40696365364e

MALICIOUS

PDF

172.1 KB Created: 2021-07-04 15:33:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-01

MD5: 1ec9f082fc497017d63c0bcab6990e35 SHA-1: 9993f268fb24bb6bed5f85eb06e01addba72c549 SHA-256: 646c40696365364ee35a186a021a2573168ff2e4fa47299606501af199fa516f

64 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as a phishing trojan by ClamAV. It contains embedded URLs that lead to potentially malicious PDF files hosted on external domains. The PDF document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it may be a lure document designed to redirect users to these malicious sites.

Machine Learning

Nyx PDF Classifier suspicious score 0.4967

Heuristics 3

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/uuflm8u9cj3l74jp7934bqjpk1/23564156674.pdf In PDF document text
- https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/a67132ad89e72d3864f3c239d79e5277/73579858955.pdfIn PDF document text
- http://leebyenghun.com/new/upload/board/files/zalizatitunesazuvajijoliz.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=linguistic+theory+of+language+acquisitionPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.