PDF malware analysis — malicious · 40a74a2f9b8345b4

MALICIOUS

PDF

1.10 MB Created: 2017-10-30 11:48:27 Authoring application: CorelDRAW (via Corel PDF Engine Version 3.0.0.576)

MD5: cc821cf968ec1b7f4e27b0fb674c0130 SHA-1: d948341cd95994e3033c8b3afd584325a8dc9e64 SHA-256: 40a74a2f9b8345b429c830adc99c6918db3305da82df774c4e2260f44597a6f7

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was detected as malicious by ClamAV (Pdf.Dropper.Agent-7253919-0). It contains an external URI pointing to 'http://oficinadolar.com.br/libraries/joomla/installer/agreement.html'. The PDF is also flagged as an image-only lure, indicating it likely contains no readable text and relies on visual deception to trick users into interacting with embedded links.

Machine Learning

Nyx PDF Classifier clean score 0.0046

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7253919-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7253919-0
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://oficinadolar.com.br/libraries/joomla/installer/agreement.html

Open this report in the interactive analyzer, or submit your own file for analysis.