Malicious PDF — malware analysis report

Static analysis result for SHA-256 7abe5c660f89e652…

MALICIOUS

PDF

99.8 KB Created: 2021-09-11 04:34:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: db5e5a365cbc811c0a0aaffc99996fa0 SHA-1: cc37e899da18f25e9c7f95e845d780813f74b9d7 SHA-256: 7abe5c660f89e65270780ccfaca267f895c411758edb76a61628b31b23fd20c4
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF containing an embedded URI that points to a suspicious domain. ClamAV and ML heuristics also flagged the file as malicious, specifically indicating phishing and trojan characteristics. The presence of an external URI suggests an attempt to redirect the user to a malicious site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5875

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=can+dualshock+4+be+used+on+android PDF link annotation