PDF malware analysis — malicious · 741f4ff7ded8b928

MALICIOUS

PDF

248.2 KB Created: 2010-01-12 20:02:35 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: c5641092e3ffa7d2dcb0b06038327f20 SHA-1: e52ca18348bd96aa8c03801e05106bea0e24f7f3 SHA-256: 741f4ff7ded8b92851bc717b38795a677147cc8f48eee1cf49c3f2355c9007ed

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains hidden HTML iframes and embedded URLs pointing to unknown external resources. The ML classifier also flagged this PDF as malicious. These elements suggest the document is designed to redirect users to potentially harmful websites, likely as part of a phishing or malware distribution scheme. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.9369

Heuristics 2

PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fuadrenal.com/lib/index.php In PDF document text
- http://reycross.com/lib/index.phpIn PDF document text
- http://odmarco.com/lib/index.phpIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off0000c41b.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC41B	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.