Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2a39d7633f4de8a…

MALICIOUS

PDF

62.3 KB Created: 2021-07-31 01:12:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: d83d04090b2fe75ad7c280b42b662dc3 SHA-1: 0d2b74bcdbe3b9a4acd4415c388d81b8a6df7d89 SHA-256: b2a39d7633f4de8a1a9f9d8e7b5728bc171519fca81759bde8adda0ae3c2a7af
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6688

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://aliencosmicexpo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b55ce97723---35841565643.pdf In PDF document text
    • https://www.cedicar.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e344995fe7---36613866265.pdfIn PDF document text
    • http://rheinmotel.com/userfiles/file/69765475913.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=upstream+elementary+a2+teacher%27s+book+pdf+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8CPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.