Malicious PDF — malware analysis report

Static analysis result for SHA-256 4192eeca6432633d…

MALICIOUS

PDF

342.2 KB Created: 2018-03-07 15:06:23 -05:00 Authoring application: Microsoft® Word 2016 (via Neevia Document Converter Pro v6.9 (http://neevia.com))
MD5: 73a12aa72677e4ac88215977997a8010 SHA-1: 0b812b1f11eb4f895855f7d134ecdfdc80ed3b8f SHA-256: 4192eeca6432633dbc642bdb12ee2489a24e091077f09d79e74f6d6a2d777d28
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to an executable payload, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This executable, 'token.exe', is hosted on the domain 'protected-documents.solutions'. ClamAV also detected this file as 'Pdf.Dropper.Agent-7254226-0', indicating its known malicious nature. The primary attack pattern involves tricking the user into downloading and running the linked executable, likely under the guise of a necessary update or security token.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6914

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • ClamAV: Pdf.Dropper.Agent-7254226-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7254226-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://protected-documents.solutions/adobe/absa/token.exe
    • http://neevia.com\))/CreationDate(D:20180307150623-05
    • http://neevia.com
    • https://helpx.adobe.com/africa/acrobat/how-to/security-permissions-protect-pdf-files.html?set=acrobat--fundamentals--secure-pdf
    • http://rmments.duckdns.org:9018/nazb-raww.exe
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_078_off000267c5.bin
b898d3d25931fd3fdc194b9477cc63ff55846629ab7dc193da4330f57e8435b7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x267C5 182112 bytes
stream_079_off0003b6a0.bin
fae7fcb1d0db9895837d02e5f903d4d884f3f94929713656ed74c3caeda5a92d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B6A0 209636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.