MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains embedded URLs that are presented as part of game instructions, but one URL, http://goto.tomsorg.com/list.php?q=Cadaco, is flagged as suspicious. ClamAV detection as Pdf.Dropper.Agent-7489410-0 further indicates malicious intent, likely to redirect the user to a malicious site or download further payloads.
Heuristics 3
-
ClamAV: Pdf.Dropper.Agent-7489410-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7489410-0
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://goto.tomsorg.com/list.php?q=Cadaco
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_003_off00002ade.binf231a8ff7fb3a84145f7033177fe26b2cf909679c9d578300d28ce4ee23bdd26 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2ADE | 20028 bytes |
font_01_sfnt_off00006096.bin9f17384f8478f33edca82c42e7b3cded2e2dd0622ccd022a53d3fb41c30c007b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6096 | 2284 bytes |
font_02_sfnt_off00006ab0.bin5fd40a3b3da8aa446b5e3dc72a2428e961793c1cf1e02d96c0bd57129d5aa978 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6AB0 | 17476 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.