QBot — PDF malware analysis

Static analysis result for SHA-256 a7c94aab85118b74…

MALICIOUS

PDF

119.9 KB Created: 1970-01-01 03:00:00 +03:00 Authoring application: FPDF 1.85
MD5: 56e924ca8cd62206237706020ccc9300 SHA-1: 9c7e304bf96997106891050f427c5c1f2d24b57d SHA-256: a7c94aab85118b74b911a7e511a587313fbbe4689bef8be295d23fbd65d38bd1
190 Risk Score

Malware Insights

QBot · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document is identified as malicious by ML classifiers and ClamAV, which specifically flags it as Pdf.Trojan.QBot-9981055-0. Heuristics indicate it functions as an image-based lure, presenting a screenshot to conceal a clickable action. This action directs the user to a raw IP address URL, http://51.68.201.10/DocumentsFolder_XXXXXX_12202022.zip, which is designed to download a ZIP payload. The presence of repeated, invisible payload links further supports this delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6672

Heuristics 5

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • ClamAV: Pdf.Trojan.QBot-9981055-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Trojan.QBot-9981055-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 119 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://51.68.201.10/DocumentsFolder_XXXXXX_12202022.zip
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.