Malicious PDF — malware analysis report

Static analysis result for SHA-256 92ac591c7450d708…

MALICIOUS

PDF

22.6 KB Created: 2016-03-02 12:42:53 -07:00 Authoring application: wkhtmltopdf
MD5: 47d833ce55afb184b03e83befb8e5155 SHA-1: 33a9784693ba6713116a7a40b8d1a19c98328423 SHA-256: 92ac591c7450d708a8aa3aa6592f2fccfa2cf0d3a4aa6078f30819ce7d8a58d4
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by ClamAV as Pdf.Dropper.Agent-7283320-0 and a machine learning classifier. It contains multiple embedded URIs, including one pointing to http://fiberglassmsp.com//libraries/legacy/log/up.htm, which is marked as unknown reputation. The presence of these links, combined with the dropper classification, suggests the PDF is designed to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8395

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7283320-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7283320-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fiberglassmsp.com//libraries/legacy/log/up.htm
    • https://www.usaa.com/inet/ent_logon/Logon?EID=129644-0815_head
    • https://www.usaa.com/inet/ent_home/CpHome?EID=129644-0815_head
    • https://www.usaa.com/inet/ent_utils/McStaticPages?key=privacy_promise&EID=129644-0815_head
    • https://www.usaa.com/inet/ent_contactus/CpLevelZeroContactUs?ContactUsPageId=PublicContactUs&EID=129644-0815_head
    • http://www.facebook.com/USAA
    • http://twitter.com/usaa
    • https://www.usaa.com/inet/ent_utils/McStaticPages?key=privacy_promise
    • https://www.usaa.com/inet/pages/privacy_promise?EID=129644-0815_foot
    • https://www.usaa.com/inet/ent_references/CpSendUsAMessage?ContentArea=cp&EID=129644-0815_foot

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f00.bin
aaba08232ebe2d133ea0c2486c0ac85cfb1cf392050aaf8c8146e4c92f2e477b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F00 3332 bytes
font_01_sfnt_off00003e33.bin
a951d404bdf21b6a46555c61c572042692c9f7ea4a4e8b580c357a7f0f24553f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E33 6112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.