PDF malware analysis — malicious · 23f4f941ad5cf519

MALICIOUS

PDF

484.5 KB Created: 2017-11-15 13:50:48 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com)

MD5: 51a0d324002625662d4fb33c1121b362 SHA-1: bd33a6df0fbae5f9349060844a8db6abf365a2fb SHA-256: 23f4f941ad5cf5193013a0a9bec8b0588b3ec69a5297f9864503c1071c925afb

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing indicating it uses a URL shortener for a lure, which is a common tactic for delivering malware or phishing content. ClamAV also identified it as a known dropper. Although the document body is heavily obfuscated and unreadable, the presence of a shortened URL suggests a delivery mechanism aimed at enticing user interaction. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier clean score 0.0023

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7239685-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7239685-0
Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK

PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ow.ly/b6Wv30gATkZ

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off00021f48.bin` `e510393c444498094688d5fe47bbe13b3c547fd9c2c7b710adff7aa628cb4047`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x21F48	332744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.