Malicious PDF — malware analysis report

Static analysis result for SHA-256 370ea1c4726d433a…

MALICIOUS

PDF

308.5 KB Created: 2017-10-24 21:11:09 +08:00 Authoring application: Microsoft® Word 2013
MD5: e04c8561207cbcf3285e7701cd375a62 SHA-1: f0fd95a9bc4eeac38e442f1d29063667fbdfb1ea SHA-256: 370ea1c4726d433a02d127a7d6329584ffb5c3d41c7e01543b54b8acec8bfd97
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is a PDF document identified by ClamAV as Pdf.Dropper.Agent. It contains an embedded URI pointing to a suspicious URL, https://babybees.vn/wp-contents/OWA/. This suggests the document is intended to redirect the user to a malicious site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier clean score 0.0745

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7249102-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7249102-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://babybees.vn/wp-contents/OWA/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000dca.bin
a3214a366a024bc5f2b0dd49dcc63a4503d5072c25c0a29b0c15398c32c9685a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDCA 384856 bytes
stream_003_off0002a00d.bin
1458470bb7b7083fa6131c11cea2791947b2f6f8198150843afbc4f66fce0edc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A00D 332636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.