PDF malware analysis — malicious · 1adb893148265d3c

MALICIOUS

PDF

108.4 KB Created: 2016-04-30 15:19:27 +01:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.0)

MD5: ac812fa2f29000159b83537ec22afbf7 SHA-1: f8189ac0389162c6925206bc2b216480ff2b65ce SHA-256: 1adb893148265d3c41721b5e39124d1572171056f7fc7f68b874fe1608c66b63

186 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains JavaScript actions and numerous embedded links that are designed to trick the user into downloading a malicious ZIP archive. The ClamAV detection of 'Pdf.Dropper.Agent-7235280-0' and the presence of multiple suspicious URLs strongly indicate a dropper or downloader functionality. The document's structure, including invisible links and parser evasion techniques, further supports a malicious intent to deliver a secondary payload.

Heuristics 8

Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE

PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
ClamAV: Pdf.Dropper.Agent-7235280-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7235280-0
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ydray.com/get/l/uQB1Mzg3Njk311972265k3/eAHgMTE5NzIy231vT)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160610081315.zip?key=ca81af73186380abd80404f8788fc02b)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612102317.zip?key=8b02903c3a05c15f4682ffc3ad1c1b46)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612105105.zip?key=3dfdaf579dda5063820605e4c3ab089a)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612105629.zip?key=ca4a356d2f05e4be8d01d659c574032c)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612110025.zip?key=a2c27a4b4b4e978ddcd2b346b3115430)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612110718.zip?key=c7347f7ee4df9001c07b9b6ab30a934a)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612112210.zip?key=acc3bd80619b0221bf5571e9df8c6aef)/S/URI
- http://www.sytern.com/en/getfreetry/order-details-20160612114716.zip?key=f8e6783cd2eb8efc3de177efed78436c)/S/URI
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Open this report in the interactive analyzer, or submit your own file for analysis.