Pdf.Dropper.Agent-7597379-0 — PDF malware analysis

Static analysis result for SHA-256 182873d2ca7a38b7…

MALICIOUS

PDF

638.2 KB Created: 2001-12-28 15:28:45 +08:00 Authoring application: Acrobat PDFMaker 5.0 for Word (via Acrobat Distiller 5.0 (Windows))
MD5: 120e53ff2316d4a0903a88eb10bba96c SHA-1: 1527303d7b68e05f0854de46d9a1dc4d4b9b6e6e SHA-256: 182873d2ca7a38b716337ce854bcb2c344219d4d0b701e23d658d23fe2132f7f
132 Risk Score

Malware Insights

Pdf.Dropper.Agent-7597379-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF file contains a hidden HTML iframe, a common technique for exploiting vulnerabilities and redirecting users to malicious sites. ClamAV detection and ML classification confirm its malicious nature. The embedded URLs suggest the file is designed to download and execute a secondary payload, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7925

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7597379-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7597379-0
  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.66ki.cn/index.htm
    • http://www.macrcmedia.net/go/getflashplayer.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000181c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x181C 3144 bytes
font_00_cff_off0003d71a.bin
fb5495a54327f48a259bdec1b2f72d2721cd65d803b07dacd47227a4018852de		 pdf-font-stream PDF embedded font (cff) at offset 0x3D71A 287 bytes
font_01_cff_off0003d965.bin
6a7ee79874ccaca7c8a68ef0ff16e63ba65e788130ac8733ba5080be56269e5f		 pdf-font-stream PDF embedded font (cff) at offset 0x3D965 277 bytes
font_02_cff_off0003dba2.bin
037fa8778b61fe43358d7d9f0aa86d356ff52f8181f88a7bde5bab9348f66ad1		 pdf-font-stream PDF embedded font (cff) at offset 0x3DBA2 237 bytes
font_03_cff_off0003ddc3.bin
acc42772c8d0cce62579e238b1f59a72830f3bd9d6caa362ca9de4252794cda2		 pdf-font-stream PDF embedded font (cff) at offset 0x3DDC3 280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.