Pdf.Dropper.Agent-7678074-0 — PDF malware analysis

Static analysis result for SHA-256 67d9077d6d875373…

MALICIOUS

PDF

1.49 MB
MD5: 259aa6780c6be53b7c024e4b94a725e6 SHA-1: 9276d3c4bf4342bb80dc8af456ae29e136d27fc7 SHA-256: 67d9077d6d875373394b488958a5ae8b1a35ef3d1929ff270f8c61f7e5dc0b16
164 Risk Score

Malware Insights

Pdf.Dropper.Agent-7678074-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1055.001 Process Injection T1140 Deobfuscate/Decode Files or Information

The file is identified as a malicious PDF dropper by ClamAV. It is encrypted and contains JavaScript, indicating that its payload is hidden from static analysis. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests it employs a common social engineering tactic to trick users into providing a password for an archive, likely containing the actual malware.

Machine Learning

  • Nyx PDF Classifier clean score 0.0072

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7678074-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7678074-0
  • Encrypted PDF carries /Js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/Js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.destiempos.com/n4/fernando_arrojoramos_n4.htm
    • http://www.patrimoniogastronomico.com/embutido_c.shtml?idboletin=123&idseccion=
    • http://bdh.bne.es/bnesearch/CompleteSearch.do?field=todos&text=descripcion+de+la+mascar
    • http://www.dgbiblio.unam.mx/index.php/guias-y-consejos-de-busqueda/como-citar
    • http://www.um.es/tonosdigital/znum5/peri/peri.htm
    • http://bdh-rd.bne.es/viewer.vm?id=0000019238
    • http://www.cervantesvirtual.com/nd/ark:/59851/bmc61192
    • http://www.google.com.mx/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB
    • http://www.boe.es/boe/dias/1963/11/04/pdfs/A15602-15602.pdf
    • http://www.redalyc.org/articulo.oa?id=60253102
    • http://www.rae.es/drae/?type=3&val=mono&val_aux=&origen=REDRAE
    • http://www.rae.es/
    • http://books.google.com.mx/books?id=e5BoVZgDoAUC&pg=PA179&dq=sileno+ASN
    • https://www.academia.edu/5510484/_Locos_y_bobos_dos_mascaras_fingidas_en_el_te
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off00158cb9.bin
b7fa2874ae8fd274635a4ba55e4eacc491364930134336e1e9fc79dcbcec9258		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x158CB9 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.