Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f3b855d61fc9c8a…

MALICIOUS

PDF

191.1 KB Created: 2017-07-31 07:50:51 -05:00 Authoring application: Adobe Acrobat 11.0 (via Acrobat Web Capture 11.0)
MD5: 9233b492a7bab7114b087e0a256858b3 SHA-1: f686be8e5f2ec686ac73029c6e1bdc6bf5751592 SHA-256: 7f3b855d61fc9c8ae08377c8e99f662361d1523d049b595825315a37a58328c5
198 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Dropper.Agent-7384028-0'. Static analysis also identified embedded Flash content, which was further flagged by ClamAV as 'Swf.Exploit.CVE_2017_2932-6327375-0'. This indicates the PDF likely exploits a vulnerability within the embedded Flash object to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5473

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7384028-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7384028-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ClientSwf.swf
874c21f37e54e9712bcbb1157390202781ccb54da8ebc27b821c7d1324004fa9		 pdf-embedded-file PDF EmbeddedFile object 251 at offset 0x18951 204851 bytes
Detection
ClamAV: Swf.Exploit.CVE_2017_2932-6327375-0
Obfuscation or payload: unlikely
stream_051_off0000bc85.bin
a2cc62cccfcf065bf387ad89164985bf00b8325c0b5123b9933a7ceae35e019a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBC85 1053 bytes
icc_00_off00000956.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x956 408 bytes
icc_01_off0002d05d.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2D05D 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.