Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f72ebdef461a94e…

MALICIOUS

PDF

186.7 KB
MD5: 7dd7cb147e064cc90f964fd2d3f60905 SHA-1: 6518ed0d01fcc425c5e42bc930ca7c3e9a324b49 SHA-256: 6f72ebdef461a94e285035f4aace45a0081fe902cf08e90b694d6d7672952536
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URI pointing to 'https://mrshabanali.pw/demo/closing/', which is flagged as suspicious. ClamAV also identified the file as 'Pdf.Dropper.Agent-7271013-0', indicating its dropper functionality. While no scripts were explicitly extracted, the presence of an external URI in a malicious PDF strongly suggests an attempt to download and execute a second-stage payload, aligning with spearphishing attachment tactics.

Machine Learning

  • Nyx PDF Classifier clean score 0.0005

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7271013-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7271013-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neevia.com
    • https://mrshabanali.pw/demo/closing/
    • http://ocsp.verisign.com0
    • http://ocsp.verisign.com01
    • http://www.monotypeimaging.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYou
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/Typography/0
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • https://www.verisign.com/rpa
    • https://www.verisign.com/cps0*
    • https://www.verisign.com/rpa0
    • http://logo.verisign.com/vslogo.gif0
    • http://crl.verisign.com/pca3.crl0
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000063f2.bin
8b80246955d520e6223302ca508b68eff35d925b276c309ec8348125c6f3b565		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x63F2 191828 bytes
stream_008_off0001c41c.bin
3582e8e6ea27c2d4760d4fe045d2b3a3693725a28dccb3ef50da62a3d3a20487		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C41C 251804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.