Malicious PDF — malware analysis report

Static analysis result for SHA-256 669847473a7f1102…

MALICIOUS

PDF

164.0 KB Created: 2016-02-11 21:21:56 UTC Authoring application: easyPDF SDK 7.0 (via BCL easyPDF 7.00 (0355))
MD5: 3990d3bdd9139b2e9ce38dd5b93c6a97 SHA-1: 6378ef84d8ee33117c0686b78a8dd8dacf5c71ef SHA-256: 669847473a7f11024bbf1fa691105b54e147a27e545e2b720e349fb92c4db111
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as a PDF dropper by ClamAV, indicating it's designed to deliver malicious content. Heuristics strongly suggest it's a lure for advance-fee scams or fake invoices, aiming to deceive the user. While no executable scripts or malicious URLs were found, the nature of a dropper implies it facilitates the download and execution of a secondary payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7268148-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7268148-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.