Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee35e09862f183ba…

MALICIOUS

PDF

72.0 KB Created: 2021-08-11 12:32:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: e3bb6692f0dac979d70c430bb7ad7456 SHA-1: cef547db5212cc75da6b690ab39c30984f7edbce SHA-256: ee35e09862f183baff9ba6ad7de64ab1d9fcd6418683b4fb756aac3e42944c0b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by ClamAV as malicious (Pdf.Phishing.Trojan). It contains an embedded URI pointing to a URL that, while currently flagged as benign, is suspicious in context. The PDF structure itself does not contain readable text, but the presence of the URI and the ClamAV detection strongly suggest a phishing or credential-harvesting attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4916

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=where+should+you+take+prostitutes+in+gta+5 PDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.