Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ef48ec724a54fab…

MALICIOUS

PDF

103.2 KB Created: 2010-06-09 07:25:48 +04:00
MD5: 34980449ebd18b55109d61cde4478b51 SHA-1: ed81bf0b39f0ec5db1352314023ea9152b594da1 SHA-256: 4ef48ec724a54fab350914897b0e2a144aba3ebee10bce6d4b3ffe3480031ae3
190 Risk Score

Malware Insights

MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass T1204.002 Malicious File

The PDF contains an embedded Windows executable payload, as indicated by the 'PDF_EMBEDDED_PE_PAYLOAD' heuristic. ClamAV detected the embedded artifact as 'Win.Trojan.Hacktool-51'. An external URI 'http://www.pdfxviewer.com/' was also found within the decompressed stream, suggesting a potential download or redirection point.

Heuristics 6

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Win.Trojan.Hacktool-51 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Hacktool-51
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000158e.bin
bf053c2e65699313e588b2671bc097cc81cc714f4f83fb6090f265240497d533		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x158E 186368 bytes
Detection
ClamAV: Win.Trojan.Hacktool-51
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.