PDF malware analysis — malicious · 0c4d1101a6ef3d70

MALICIOUS

PDF

235.8 KB Created: 2010-02-25 19:22:03 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 7bee4656017dd7b1c1172e4bb258e6af SHA-1: 7285c8013165cb63a0dadd52f3e97e6798de2e14 SHA-256: 0c4d1101a6ef3d70e960d93921aecf0e21c0b4e7c6a1bed692081b7d96e3ea61

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a hidden HTML iframe, indicating an attempt to redirect the user to external malicious sites. The ML classifier also flagged this PDF as malicious. The embedded URLs point to suspicious domains, likely serving as part of a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9482

Heuristics 2

PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fuadrenal.com/lib/index.php
- http://reycross.com/lib/index.php
- http://odmarco.com/lib/index.php
- http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000b9ed.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB9ED	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.