Emotet — PDF malware analysis

Static analysis result for SHA-256 a0280374e10d2bf7…

MALICIOUS

PDF

11.9 KB Created: 2019-03-13 17:19:02 +03:00 Authoring application: dompdf + CPDF
MD5: e355a334d087bec040cdf9f8a78c2480 SHA-1: 5633639b460c1076b01195e7a15b82045c686e1e SHA-256: a0280374e10d2bf7805a8787ceea87054b194e2ba373823e464201b184d3de74
72 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is identified as a PDF with a fake invoice lure, containing embedded URLs that point to a suspicious domain. ClamAV detection explicitly names this as Pdf.Phishing.Emotet0-7413057-0, strongly suggesting the Emotet family. The document body text reinforces the lure by mentioning an 'updated payment report' and 'outstanding balance', encouraging the user to interact with the provided links.

Heuristics 5

  • ClamAV: Pdf.Phishing.Emotet0-7413057-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Emotet0-7413057-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://d-snpagentdirectory.com/hosvctb/gnbo7-2vzgm-licrkml/
    • https://d-snpagentdirectory.com/hosvctb/gnbo7-2vzgm-licrkml/?InvoiceType=Regular&date=3-1-
    • https://d-snpagentdirectory.com/hosvctb/gnbo7-2vzgm-licrkml/?type=Regular&date=1-1-19_3-

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000288.bin
443852bc09b3c467cdb83bdd05557f9da5fab67215fc0a7c6c3bee091ddb7852		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x288 20432 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 50 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.