Zbot — PDF malware analysis

Static analysis result for SHA-256 44b18af5174f298b…

MALICIOUS

PDF

39.1 KB Created: 2014-05-12 21:43:57 -05:00 Authoring application: Created Using iDash (via iText® 5.1.2 ©2000-2011 1T3XT BVBA)
MD5: 955c6e866f80603d33c23365af5d2e00 SHA-1: 394990be7210041584fa2c36bdee5779bc895e25 SHA-256: 44b18af5174f298bec60b90475b3dbc9238606d9bba378c4dcf6c53bdae627d6
100 Risk Score

Malware Insights

Zbot · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell

The critical ClamAV heuristic firing directly identifies the sample as Win.Trojan.Zbot-32, a known banking trojan. The POLYGLOT_PDF_ZIP_APPENDED heuristic indicates that a ZIP archive is appended to the PDF, suggesting a multi-stage infection or obfuscation technique. The presence of Zbot family malware strongly implies malicious intent, likely involving credential theft or financial fraud.

Heuristics 2

  • ClamAV: Win.Trojan.Zbot-32 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Zbot-32
  • PDF with appended ZIP archive high POLYGLOT_PDF_ZIP_APPENDED
    A ZIP local-file header was found AFTER the last %%EOF in this PDF — a polyglot pattern where the same bytes are a valid PDF for a PDF reader and a valid ZIP for an archive parser.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000035a8.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x35A8 3144 bytes
font_00_sfnt_off00004719.bin
4d0e2bb6bcb97e4872e6c368669160cb3eede1dda32d31c5849a271cc85e0c0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4719 45516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.