Malicious PDF — malware analysis report

Static analysis result for SHA-256 13a73f2936480f07…

MALICIOUS

PDF

420.8 KB Created: 2018-03-06 23:51:59 +02:00 Authoring application: Microsoft® Office Word 2007
MD5: a83029977b9cdaaf609893dd0072f3a5 SHA-1: 43c7c5108bfe2a252ed86fcee4a4fdc6decbef51 SHA-256: 13a73f2936480f072a311c43d682a174f2deedc089b5827558b4261e74999acd
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a direct link to a JAR file hosted on 'inspeciedesigns.com'. This heuristic, combined with ClamAV detection as 'Pdf.Dropper.Agent-7231471-0', strongly suggests the document's purpose is to trick the user into downloading and executing the malicious JAR. The embedded URL is the primary indicator of this malicious intent.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3308

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • ClamAV: Pdf.Dropper.Agent-7231471-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7231471-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inspeciedesigns.com/wp-includes/IXR/transfer_receipt.jar
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoft
    • http://en.wikipedia.org/wiki/MIT_License
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://www.microsoft.com/Typography

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00044ffc.bin
0079bfc1bad086f11b14d605b8b2b201143081bb22acb10bff4a7f5f709870e1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x44FFC 338528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.