PDF malware analysis — malicious · 6b1e18b56dd2270f

MALICIOUS

PDF

174.3 KB Created: 2017-11-14 13:34:56 +02:00 Authoring application: Microsoft® Word 2016

MD5: 42ca947d549245e6c76a691650d2c919 SHA-1: cbc90a79476e2280d048dc22a59710f3ae6e792c SHA-256: 6b1e18b56dd2270fe9c14492defc8843ba9d8f4b2fe5703842912ca29f481153

84 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file is detected as a malicious dropper by ClamAV. It employs an image-only lure, a common tactic to obscure clickable elements that redirect to external URLs. The primary external URL identified, https://lefebreymesa.com/english/secured/document/DOCsignsecured/DOCsignsecured/dsign/, is flagged as suspicious and is likely the next stage in the attack chain, potentially leading to credential theft or further malware deployment.

Machine Learning

Nyx PDF Classifier clean score 0.0464

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7269626-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7269626-0
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 174 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lefebreymesa.com/english/secured/document/DOCsignsecured/DOCsignsecured/dsign/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.