Malicious PDF — malware analysis report

Static analysis result for SHA-256 2569d33c7a21334a…

MALICIOUS

PDF

827.8 KB Created: 2010-01-21 23:31:55 -06:00 Authoring application: PaperPort 12 (via OmniPage CSDK 16)
MD5: 00a3d9115b8ff77b40d97fdca0fd7694 SHA-1: 0f56b3df3e303620a99d628d9ba16783d90c7f1e SHA-256: 2569d33c7a21334a19adcb587a4e10c51ff5c4052913be4644b2d3d1eb56a5b1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing Attachment

The critical ClamAV heuristic indicates this PDF is malicious, specifically identified as Pdf.Exploit.Agent-21951. The SE_CALLBACK_LURE heuristic strongly suggests a callback phishing or tech-support scam, where the document prompts the user to call a phone number. While several URLs are embedded, they are all confirmed as benign and related to standard PDF namespaces, providing no direct IOCs for malicious activity. No scripts were extracted from this sample.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-21951 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-21951
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.