Malicious PDF — malware analysis report

Static analysis result for SHA-256 467bb452e98128ee…

MALICIOUS

PDF

184.9 KB Created: 2009-08-03 10:28:24 +08:00
MD5: b7c1b49f81a8763b87ea26416b5a68c6 SHA-1: 8a4c78b50e460058d7ddee07e349ed63f2e33bff SHA-256: 467bb452e98128ee3792a8ecf4c4e257d8e80dfa69e8bfdca22d8fed8f49f0c0
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is identified as a malicious PDF by ClamAV and a machine learning classifier. Static analysis reveals it contains an embedded Flash (SWF) object, which is a common vector for delivering exploits. The PDF itself appears to be an "image only lure" designed to trick users into opening the embedded malicious content. No specific malware family could be identified, but the presence of the SWF points to an exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9904

Heuristics 5

  • ClamAV: Swf.Malware.Agent-7104323-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Swf.Malware.Agent-7104323-0
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0032_00.bin
86cf71bb204eddd273984a68ac4dd99b5ab7d9a93334be70dfe736883042a648		 pdf-objstm-decoded PDF /ObjStm 32 0 obj (inflated) 1878 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.