Malicious PDF — malware analysis report

Static analysis result for SHA-256 b999eee4e5d96539…

MALICIOUS

PDF

104.0 KB Created: 2021-08-22 03:59:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: ba0a82d8ee7a05dbd419f62092e077e5 SHA-1: decb9c4371843bb8c5d9313743417c252fae4d68 SHA-256: b999eee4e5d9653987020afc096f2b3c96067250f0e4423117fb3d56015ec4b1
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document identified by ClamAV as a phishing trojan. It contains embedded URLs pointing to other PDF files, one of which is hosted on a potentially compromised website. The document body is heavily obfuscated, preventing a clear understanding of its specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.1347

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.advokat.com/app/webroot/img/fck/file/89651152544.pdf In PDF document text
    • https://www.hinogas.com/wp-content/plugins/super-forms/uploads/php/files/jsqiu1e6u3670df0vbsibp57bi/16136036562.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=handbook+of+petroleum+refining+processes+4th+edition+pdf+free+downloadPDF link annotation