Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5ce7363c5a94bc0…

MALICIOUS

PDF

51.0 KB Created: 2020-11-24 05:00:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: db798115ba4b00730d07c66f79ad6b7d SHA-1: 6a879d88cfa0c6e132ea6d1c8f0418515214ddf7 SHA-256: f5ce7363c5a94bc09aee5f9ddafaf861161157b0df67b58b48ef17f24e6d633b
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a heuristic firing indicating an external URI, which points to a suspicious URL. ClamAV also detected the file as a phishing trojan. The document body, though heavily obfuscated, contains text related to 'Uniforme estiva carabinieri 2018', suggesting a lure related to law enforcement uniforms. The presence of an embedded URL and the overall detection by multiple engines strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6878

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/strik?utm_term=uniforme+estiva+carabinieri+2018 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4424009/normal_5f9f9dda6f598.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366340/normal_5f87c14495fc9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420924/normal_5fb8897f8d561.pdfIn PDF document text
    • https://suzokixuvajix.weebly.com/uploads/1/3/0/7/130776208/6026291.pdfIn PDF document text
    • https://kojepogezoxuta.weebly.com/uploads/1/3/4/4/134487575/dudikejigiwi-mabax-vonaruwuxes.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4443595/normal_5fb93255d9bb3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384310/normal_5f93bcc75d62c.pdfIn PDF document text
    • https://lipowuripipu.weebly.com/uploads/1/3/1/3/131378852/1c72f370f07fd5.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9565432b-8d0b-418f-a5d7-3999a5a2e297/70294185616.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e8f659d-3317-4de2-800b-830bb591c4e4/smoothing_capacitor_voltage.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/020cbd83-bbef-443f-9721-8605288cc956/brookville_middle_school_in_va.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/22e317e0-a32e-4163-af25-fd9d9f868245/chaar_sahibzaade_2_full_movie_480p.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0126d7aa-a5e9-4067-a0b4-49616e1bc347/80591558593.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18631031-4102-46dd-9ecb-eb9117f52032/5483397901.pdfIn PDF document text