PDF malware analysis — malicious · f080f9fd09e62534

MALICIOUS

PDF

39.4 KB Created: 2021-07-24 08:49:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 922f1c0b32589b2e61b86800f8db7400 SHA-1: c9967dc9d0c9591f0e9397897cebd52e28779cf7 SHA-256: f080f9fd09e62534018e59270c6d135908557fac5b66a69613643f9f5d596f4a

84 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file is identified as a phishing lure due to its structure, containing an image that likely conceals a clickable link. The ClamAV heuristic further confirms its malicious nature. The embedded URL, although flagged as benign by the analysis, is presented as the primary vector for the attack.

Machine Learning

Nyx PDF Classifier suspicious score 0.3273

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 39 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=microsoft+sql+server+user+guide+pdf

Open this report in the interactive analyzer, or submit your own file for analysis.