Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d81b8329e1e50f2…

MALICIOUS

PDF

77.4 KB Created: 2017-03-09 00:37:23 UTC Authoring application: RAD PDF (via RAD PDF 2.38.3.1 - http://www.radpdf.com)
MD5: 231743f1318cf2b24a664bfa210c9390 SHA-1: 4957739f0e19d5664e7620d9cd1133891ae99485 SHA-256: 2d81b8329e1e50f20a3be5970a35c543e5f42c98aa2f904503de6f62c6e238a9
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF is identified as a malicious dropper by ClamAV and exhibits characteristics of a phishing lure, including an image-only design and embedded clickable URIs. The document body contains multiple URLs, suggesting a redirection mechanism to a potentially malicious site. The primary attack pattern involves luring the user to click on one of the embedded links, which likely leads to a phishing page or a further stage of malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9028

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7244239-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7244239-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 77 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moolacard.com/wp-admin/maint/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://moolacard.com/wp-admin/user/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://www.moolacard.com/wp-admin/network/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://moolacard.com/wp-content/mu-plugins/DHL-DISPATCH/DEPARTMENT/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://phuket-account.com/admin/01/image/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://mybreakingviews.com/wp-content/themes/flat-white/languages/ADE-ADOBE%20PDF/Login%20pdf.html
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://xincubetrade.16mb.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001789.bin
d43e7b69e1e25fe070d522da94c4396003aae12eb7a75aecb2cc0f5e5feef6a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1789 73728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.