PDF malware analysis — malicious · 04409066d152e590

MALICIOUS

PDF

235.8 KB Created: 2010-02-08 19:27:29 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 13e263bec1ed0b3804e40a27a17ffc1d SHA-1: 422ded4804b718c2b5dedcc11217f62088957267 SHA-256: 04409066d152e590fcddef8ccb4a735105f8aec8f7e9f5d92e469fab96d5dccd

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and contains a hidden HTML iframe, indicating a malicious intent to redirect the user to external content. The embedded URLs, such as http://fuadrenal.com/lib/index.php, are likely part of a malicious infrastructure used to serve further malicious content or phishing pages. The authoring application suggests it was generated by Joomla! via TCPDF, which can sometimes be exploited or used to obfuscate malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9482

Heuristics 2

PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fuadrenal.com/lib/index.php
- http://reycross.com/lib/index.php
- http://odmarco.com/lib/index.php
- http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000b9ed.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB9ED	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.