PDF malware analysis — malicious · 4021cd5117952447

MALICIOUS

PDF

97.0 KB Created: 2017-11-17 14:28:04 +01:00 Authoring application: wkhtmltopdf 0.12.3 (via Qt 4.8.7)

MD5: e659b9a1e4d954d882e930a449a7e3d6 SHA-1: 73111bf879988a4e1dcf1b4a1099569b2e4919b2 SHA-256: 4021cd51179524475c796c39a43d583e721875640ac74f6dc9513f81b1ed880b

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded hyperlink pointing to 'http://flyt.it/aexp003'. ClamAV detection 'Pdf.Dropper.Agent-7253674-0' indicates this is a known dropper. The document body is heavily obfuscated, but the presence of the URL and the ClamAV signature strongly suggest a malicious intent to redirect the user to a potentially harmful site, likely for further payload delivery.

Machine Learning

Nyx PDF Classifier clean score 0.0006

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7253674-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7253674-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://flyt.it/aexp003

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off000126bc.bin` `1bac48eeb8252e5200d0d4904a388e11b84795207355da6b152fff22fd1eacc1`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x126BC	13220 bytes
`font_01_sfnt_off00014c19.bin` `cc51817fb8572dc9fb7fbf5cdc6e91bc494cdb14a80d771fe3d21cb5d09f78d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14C19	11968 bytes
`font_02_sfnt_off00016c17.bin` `fbe20b269730f561a153de9337e7009c650c9ee604a085cdfb6937d27a06f027`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16C17	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.