PDF malware analysis — malicious · 61793c2129f76d87

MALICIOUS

PDF

61.2 KB Created: 2017-11-28 08:21:12 -08:00 Authoring application: Microsoft® Word 2013

MD5: 118cac0489c636d9d4af844fbd3953ab SHA-1: 87794644c3e155b406fe2f4e98e2111514fce9f4 SHA-256: 61793c2129f76d871cb8be1a63f1c13a5dda7d7e81763f0d14bd4cc8127bf998

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a direct link to a ZIP archive, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This strongly suggests the document is intended to trick the user into downloading and running a malicious payload. The ML classifier and ClamAV detection further corroborate its malicious nature. The embedded URL is the primary indicator of compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.6746

Heuristics 3

PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK

PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
ClamAV: Pdf.Dropper.Agent-7265825-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7265825-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://invoice-personnel.com/drupal/includes/filetransfer/VNK0.30534800.zip

Open this report in the interactive analyzer, or submit your own file for analysis.