Malicious PDF — malware analysis report

Static analysis result for SHA-256 893cf5661448f765…

MALICIOUS

PDF

85.8 KB Created: 2021-08-17 14:30:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-22
MD5: b75f9fe5ec8b95508868591cae28d7d6 SHA-1: fbd4351444e85499e5dc3ba729a1a04b4c688328 SHA-256: 893cf5661448f7651db18679f55848ad4933a3e379dd84c4037e218135f66c49
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as a phishing trojan by ClamAV. It contains an embedded URI that points to a potentially malicious domain, and other URLs were extracted that could be used for hosting malicious content or redirecting users. The PDF structure and embedded content suggest an attempt to exploit user trust, likely through a phishing lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.1525

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/f7ej79mn8d8r586mmgeha2m5qp/85082261330.pdf In PDF document text
    • https://baileyelectrical.services/wp-content/plugins/super-formsIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=where+does+psilocybe+semilanceata+growPDF link annotation