Malicious PDF — malware analysis report

Static analysis result for SHA-256 24fc862eee7bf27f…

MALICIOUS

PDF

450.1 KB
MD5: 17cf4348b3937f772d8fa603cdb4c990 SHA-1: 3d740a5f76a713b617ad31a93121ba25a30e6729 SHA-256: 24fc862eee7bf27fbbbba2ce52e912e17c4a96f7e78f4ade7e9e24a8854c668f
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF contains embedded files, specifically other PDFs, which is a common technique for delivering malicious payloads. The ClamAV detection 'Pdf.Dropper.Agent-7240204-0' strongly suggests its role as a dropper. While no specific URLs were flagged as malicious, the embedded nature of the files indicates a likely multi-stage attack where these embedded documents would initiate further malicious activity.

Machine Learning

  • Nyx PDF Classifier clean score 0.0876

Heuristics 5

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • ClamAV: Pdf.Dropper.Agent-7240204-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7240204-0
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
tool___p11---alert_one---nest--5-only-text-long-doc.pdf
7dbc22dc538addf87c4f76375db3e9803516a737703230ee426fef0757f3e828		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA53 115021 bytes
tool___p11---alert_one---nest--5-only-text-long-doc_1.pdf
7f39a7b0d5beb6b72c39706fe51e421afbe00c14016066628d3eed37005a4391		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 201386 bytes
tool___p11---alert_one---nest--5-only-text-long-doc_2.pdf
f843c0dd74aa1b6d169df0436442d21b831814e10a49dc524d41a8cee554c15f		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 287901 bytes
tool___p11---alert_one---nest--5-only-text-long-doc_3.pdf
5012e613a91b90a9efe504898db79be750f0d5d7265a88787bf4dd249c32567d		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 374460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.