MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF is encrypted, preventing deeper static analysis of its content. However, ClamAV detected it as Pdf.Exploit.Agent-23658, indicating it contains an exploit. The presence of embedded URLs, some of which are not confirmed benign, suggests a potential for malicious redirection or payload delivery. The exploit likely targets a vulnerability to achieve client execution, with spearphishing attachment being the probable initial access vector.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 3
-
ClamAV: Pdf.Exploit.Agent-23658 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-23658
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.kitsrus.com
- http://www.websitetoolbox.com/tool/mb/diykit?forum=13943
- http://download.microsoft.com/download/vb60pro/install/6/win98me/en-
- http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1407
- http://www.iec.ch
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
icc_00_off00009c11.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x9C11 | 3144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.