Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e614789476f2972…

MALICIOUS

PDF

55.4 KB Created: 2021-08-11 01:06:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 4aa990e9fe682478b13a7cd85a7f860e SHA-1: 063b924ded4c95a69c0f2b2cfd2bff5c3aa1451a SHA-256: 9e614789476f2972a78260626a69d4f937fb95049fc147e6f7138efbd0007075
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ClamAV heuristic identified this PDF as a phishing trojan. The document contains embedded URLs that point to potentially malicious domains, suggesting an attempt to redirect users to phishing sites. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.2443

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hoanhaochemical.com/uploads/files/21203434546.pdf In PDF document text
    • http://haustechnik-hagenauer.at/73182852058.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=wcco+anchor+salariesPDF link annotation