Malicious PDF — malware analysis report

Static analysis result for SHA-256 69ac7ae1263be42c…

MALICIOUS

PDF

136.7 KB Created: 2021-06-18 14:02:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 4a1f980258b36cbd53a24fd64a85d77b SHA-1: 29763d549ed2f36617e9a4f90de2cf53243ffaad SHA-256: 69ac7ae1263be42c00d06cab5493f6235874223e80976328642882faeb9fdc89
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a phishing and trojan detection. It contains an embedded URI pointing to a suspicious domain, likely intended to host malicious content or phish for credentials. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, which can be used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier clean score 0.1296

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=tlk+optimus+prime+voyager PDF link annotation