Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6f2f9d708855eb6…

MALICIOUS

PDF

80.4 KB Created: 2021-06-27 18:58:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 704029ecabbdbcc9f8b20768729853a2 SHA-1: 5dfaf5682fd5429d4a493a1fa11e5e497b670589 SHA-256: f6f2f9d708855eb6baed8e2de25e8ecf53892e0de812c6a248a1d60778bda120
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating the presence of an embedded URI. Although the extracted URL is confirmed benign, the overall detection suggests a phishing or credential harvesting attempt. No scripts were extracted, limiting further analysis of the attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6016

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=history+of+medieval+renaissance+and+baroque+music PDF link annotation