PDF malware analysis — malicious · 3e45a874c82cfbff

MALICIOUS

PDF

290.6 KB Created: 2008-04-18 15:25:18 +05:30 Authoring application: John Wiley (via PDFlib PLOP 2.0.0p6 (SunOS)/Acrobat Distiller 5.0 (Windows))

MD5: 89682789ef1b0b0f20b4bb0ea44ec993 SHA-1: 89c5ed9a1ea2a0c5f4451eba3f57c385d6dd3a0a SHA-256: 3e45a874c82cfbffc014cd1b0c1fd8e2f48f2c131c4ae28de0a78882d5917e7d

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1566 Phishing

The PDF file contains a critical ClamAV detection for Pdf.Dropper.Agent-7252682-0. Static analysis revealed an embedded script payload and a hidden external HTML iframe, indicating an attempt to redirect the user to malicious content. The embedded script and iframe likely serve to download and execute a second-stage payload from the identified suspicious URLs.

Heuristics 5

ClamAV: Pdf.Dropper.Agent-7252682-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7252682-0
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.ro521.com/test.htm
- http://j5b.kr/bin/h.js
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 19

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_000489fe.bin` `c64c98b4d56551f82daaa7ad1823d6e1eff8815d2219460737a24906ad6bdf30`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x489FE	297516 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 long base64-like blob(s).
`icc_00_off0000df6e.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0xDF6E	3144 bytes
`font_00_cff_off0000102b.bin` `9442d96173999a2cd045f4d5527ae48ce835fe25e62fd7152991da68d4a57fb0`	pdf-font-stream	PDF embedded font (cff) at offset 0x102B	3614 bytes
`font_01_cff_off00001e5c.bin` `7c6e5956d71b427eb992a238a596b941badee7dcd108d27df63c0aac94cee292`	pdf-font-stream	PDF embedded font (cff) at offset 0x1E5C	211 bytes
`font_02_cff_off0000247c.bin` `92d670679fb0f57b24c0cb8db1d18b53600205521c4561426215779285241e9e`	pdf-font-stream	PDF embedded font (cff) at offset 0x247C	6308 bytes
`font_03_cff_off00003e1a.bin` `0bf18a45eedf0ade7d0d0a48db7e395ae585e0c7f4c04137cbd39466139443a7`	pdf-font-stream	PDF embedded font (cff) at offset 0x3E1A	6171 bytes
`font_04_cff_off0000569e.bin` `433c422b7452bbda51d7bbac2685412e40dc2bfee1279da28b142d9055d6bd0d`	pdf-font-stream	PDF embedded font (cff) at offset 0x569E	882 bytes
`font_05_cff_off00005e9a.bin` `5652a9a710492615c22c062c542e60cfeb8f171979beb92f1d93256ec639dcfe`	pdf-font-stream	PDF embedded font (cff) at offset 0x5E9A	2548 bytes
`font_06_cff_off00006a48.bin` `aabc3dc5fe46ca9d971a410593c9aff96bc219ccbea38e26a532f3dedc224838`	pdf-font-stream	PDF embedded font (cff) at offset 0x6A48	490 bytes
`font_07_cff_off00006f9f.bin` `e9fb0bbfb6928e8103457dff154b19bc9c92a385903ec5f468ac4b35b43c73a7`	pdf-font-stream	PDF embedded font (cff) at offset 0x6F9F	3567 bytes
`font_08_cff_off0000809c.bin` `b35c3c0bb3b2702f2fd43914d4816a810e4bfcc00eab8e18db43302d07aa87df`	pdf-font-stream	PDF embedded font (cff) at offset 0x809C	7884 bytes
`font_09_cff_off00009f46.bin` `1ce3723630f178927f5e3099efc7ba5099937b6e343235400ea47b850ad4cc6e`	pdf-font-stream	PDF embedded font (cff) at offset 0x9F46	1349 bytes
`font_10_cff_off0000a65a.bin` `5fae2ae44bed100b437010c358e9514af7c57fd471b1a25a7517369db812d8f5`	pdf-font-stream	PDF embedded font (cff) at offset 0xA65A	211 bytes
`font_11_cff_off00010edd.bin` `93815dcef887826cd639652dd760b536a2d83e5bba0295d0ae7b120bdcc7d85c`	pdf-font-stream	PDF embedded font (cff) at offset 0x10EDD	338 bytes
`font_12_cff_off0003d47d.bin` `2a48865b5cccf8be96d1f7000c14bd7f4ccd3c1cc3d1378708ec74e90de75707`	pdf-font-stream	PDF embedded font (cff) at offset 0x3D47D	176 bytes
`font_13_cff_off0003d8ff.bin` `d701fd77bc8afe28c31d459cbf2e3629cee1f8f0336e211a6094e29ca93827ab`	pdf-font-stream	PDF embedded font (cff) at offset 0x3D8FF	911 bytes
`font_14_cff_off0003dea5.bin` `148f4663f793dcc4cf274e99e4556c13e395ebb7202001362ecc0aee1ac40bee`	pdf-font-stream	PDF embedded font (cff) at offset 0x3DEA5	342 bytes
`font_15_cff_off00041e90.bin` `4afbd1226a3e6ceda873a0cffbcb164cf721a5d048b29f9b9114f55e5ddb1c89`	pdf-font-stream	PDF embedded font (cff) at offset 0x41E90	235 bytes
`font_16_cff_off000425e2.bin` `c157312e4fd887ebc6ee8c6e9172f4a7aad5105cffc98f6f2c32c187ebc3f7d0`	pdf-font-stream	PDF embedded font (cff) at offset 0x425E2	18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.