PDF malware analysis — malicious · 7263e378f640c8d9

MALICIOUS

PDF

13.0 KB

MD5: 581960469bfe3c59d0fc91ef22060353 SHA-1: 5cd3a01a6604392d6beef10c65f51fd60d00ae45 SHA-256: 7263e378f640c8d962f3825c593013e00b078a9ac1d81ebed28c89012ad09457

152 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including ClamAV, as malicious, specifically identifying it as Win.Exploit.Jailbreak-1. The embedded URL 'http://jailbreakme.com/wad.bin' is highly suspicious and likely serves as a download location for a secondary malicious payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9056

Heuristics 3

ClamAV: Win.Exploit.Jailbreak-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.Jailbreak-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jailbreakme.com/wad.bin
- http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_cff_off00000458.bin` `a8ee2db46dcea2b5c19a130e49e2017917d007b711c524d521041107be7f2ac3`	pdf-font-stream	PDF embedded font (cff) at offset 0x458	40077 bytes
Detection ClamAV: Win.Exploit.Jailbreak-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.