PDF malware analysis — malicious · 69befe353ffdc1ec

MALICIOUS

PDF

13.0 KB

MD5: 837596b8713354f38a3a7824d48fd98d SHA-1: 8596b0dd160ca47f548bf6d1ab2b36878b5821ed SHA-256: 69befe353ffdc1ec8e65a619d22d603087eee9b385441162ee82aba260406e93

152 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file was identified as malicious by multiple engines, including ClamAV which flagged it as Pdf.Dropper.Agent-7206819-0. An embedded artifact was also detected as Win.Exploit.Jailbreak-1. The presence of an unknown URL, http://jailbreakme.com/wad.bin, suggests the PDF is likely a dropper intended to download and execute a secondary payload, aligning with exploitation for client execution.

Machine Learning

Nyx PDF Classifier malicious score 0.9056

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7206819-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7206819-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jailbreakme.com/wad.bin
- http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_cff_off00000458.bin` `ec9317d65835153478af33a35b3d963625e24c2b34a6b713b3b270a15805b0f5`	pdf-font-stream	PDF embedded font (cff) at offset 0x458	40077 bytes
Detection ClamAV: Win.Exploit.Jailbreak-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.