Malicious PDF — malware analysis report

Static analysis result for SHA-256 79aeb7606d7ce948…

MALICIOUS

PDF

399.5 KB Created: 2017-11-10 11:51:32 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com)
MD5: 64d37f2e82842f0d18aa448aa876be7b SHA-1: 7099de7e61fd3d7e1fa448f4e41eba11dfe0406f SHA-256: 79aeb7606d7ce948af6ffc912b4b985c18ea3183af8307b8e2a2f1c3c09e61fc
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV, specifically as Pdf.Dropper.Agent-7275029-0. It contains an embedded URL that redirects to an external site, suggesting it's designed to lure users to a potentially harmful destination. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic indicate a dropper or downloader functionality.

Machine Learning

  • Nyx PDF Classifier clean score 0.0449

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7275029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7275029-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smarturl.it/officeofficeofficeup
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoft
    • http://en.wikipedia.org/wiki/MIT_License
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://www.microsoft.com/Typography/0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://www.microsoft.com/typography

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000058.bin
7245f0fd26d799d5389e18748236f0fd4ac0f88f40b3f2f46db4a739a2e7bd87		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x58 365988 bytes
stream_002_off0004c78c.bin
638bf85f3e4ccfa327196ab88b89eedc0098a426676a9f4fe2ae0834a6c7d8fa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C78C 293848 bytes
font_00_sfnt_off0002724f.bin
d669440366a0698b85526c657cf77f9c0a009eb3bdab813e73fef1ff3fedc8b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2724F 353564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.