Qakbot PDF malware analysis — malicious · 9bfcdb28009feeda

MALICIOUS

PDF

89.2 KB Created: 2023-03-19 19:37:16 +00:00 Authoring application: dompdf 2.0.3 + CPDF

MD5: a9a100403a4d18239c2abb3949bd6c90 SHA-1: 6227adb5d7fd9f5d7b30b1ee51126e8c2af84f03 SHA-256: 9bfcdb28009feeda218c4322dabcc1f6464ce64fdede12c988db36889e77fa2d

82 Risk Score

Malware Insights

Qakbot · confidence 95%

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file is identified as an image-only lure, a common phishing technique. It contains a single external URI pointing to 'https://gruastranservis.com/eaoe/eaoe.php'. ClamAV detection confirms this as Pdf.Downloader.Qakbot-9989703-0, strongly suggesting Qakbot family involvement. The primary attack vector is the embedded malicious URL, likely used to download and execute further stages of the malware.

Machine Learning

Nyx PDF Classifier clean score 0.0537

Heuristics 4

ClamAV: Pdf.Downloader.Qakbot-9989703-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Downloader.Qakbot-9989703-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 89 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://gruastranservis.com/eaoe/eaoe.php

Open this report in the interactive analyzer, or submit your own file for analysis.