PDF malware analysis — malicious · 09a27062f0dd386d

MALICIOUS

PDF

530.9 KB Created: 2017-11-08 20:52:09 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com)

MD5: 9a555222423f14c30745ae5607782db9 SHA-1: e3798aed269e1659a135dc8a3a00b89aecc86c91 SHA-256: 09a27062f0dd386d9127b8afe9dd10282fe345ec1317b8af7adf1b6fb9e52804

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1539 Steal Application Data

The PDF document uses a lure consistent with credential phishing, impersonating a document signing service to solicit sensitive information such as MFA codes. The ClamAV detection and embedded URI heuristics further indicate malicious intent, likely to download a secondary payload or redirect to a phishing site. The document body was unreadable, but the heuristics strongly suggest a phishing attack.

Machine Learning

Nyx PDF Classifier clean score 0.0157

Heuristics 5

ClamAV: Pdf.Dropper.Agent-7226471-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7226471-0
MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
Document signing service impersonation lure medium SE_DOCUSIGN_LURE

Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://grupoavance.com.gt/wparch/index.php
- https://click.mail.onedrive.com/?qs=4c7571988e84cd035679808f33e5b957823af7248f37ae69608e5a3ff8b2a7fdb08d0d2a17beba68f49543faceae61d464efd0cf71052556ce4ccd52ef74967b
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
- http://www.microsoft.com/typography
- http://en.wikipedia.org/wiki/MIT_License
- http://www.microsoft.com/Typography/0
- http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoft
- http://www.microsoft.com/typography/fonts/default.aspx
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_000_off00000057.bin` `284cba10d4fb1ea5fd04d8754e047ca2032666283420dd6cbfa5bf853dfda2e4`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x57	291996 bytes
`stream_002_off00038f6d.bin` `0d19408247662beaaebad5403c19f15fe79c7aa550e947da70ac7df721ba3884`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x38F6D	264072 bytes
`stream_003_off0004b639.bin` `1830e6dc5eaf91951044f93226600879f4532ca5f0640ddd3d0d213163324207`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x4B639	314688 bytes
`stream_005_off00063fa1.bin` `6e5b99f2cbd259ecb19df779fb9504e379b22b67845a6fe00c7e398d4bef63a6`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x63FA1	295648 bytes
`font_00_sfnt_off00014efa.bin` `04801be8734ff1d4cca9d88290776a868d093505ce2a2f9a2e9e2013a0884794`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14EFA	344500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.