Malicious PDF — malware analysis report

Static analysis result for SHA-256 4040ddf9a9765de7…

MALICIOUS

PDF

209.0 KB Created: 2017-11-14 11:34:19 +03:00 Authoring application: Microsoft® Word 2013
MD5: 1f86b663984784ba02a675d750d2038f SHA-1: dfcc49baf38c9ee8804f2e1e671a31e699d99c4c SHA-256: 4040ddf9a9765de740e00b1afd71dc998a85bf2ae790acd708fd96b85b2e1b50
170 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF is an image-only lure, designed to trick users into clicking a link. The embedded URL directly points to a ZIP archive, indicating a dropper or downloader functionality. ClamAV also detected this as Pdf.Dropper.Agent-7253701-0, further supporting its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7465

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • ClamAV: Pdf.Dropper.Agent-7253701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7253701-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 209 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://c.lewd.se/MFDeAg_Document_07410101.zip

Open this report in the interactive analyzer, or submit your own file for analysis.