Malicious PDF — malware analysis report

Static analysis result for SHA-256 49ee25ba3cd91c1b…

MALICIOUS

PDF

107.5 KB Created: 2016-04-06 01:42:50 +00:00 Authoring application: Microsoft Word
MD5: 51067140b1ee1f6ec90f9609921b4141 SHA-1: 0ef35a3e88388984a5f5d4cb034fc37084cce453 SHA-256: 49ee25ba3cd91c1b83177b9f2b074d2b810bbd525e78118873e4b390fc9a7bb5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document identified by ClamAV as Pdf.Dropper.Agent-7212068-0. It contains an embedded URL that impersonates a financial institution, suggesting a phishing or credential harvesting attempt. The presence of the URL within the document body further supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0113

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7212068-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7212068-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://home.capitalone.360.com.org.online.access.confirmation.dukkans.com/com.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00004fec.bin
b21b030a3fe46ff06ede61f1577fd00c75f1358188d19a3cf24774ca51602df9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4FEC 187500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.