PDF malware analysis — malicious · 938694ffa32dce83

MALICIOUS

PDF

36.1 KB Authoring application: PDFedit

MD5: 57e71d6efce5229d299ba1f340ee05a4 SHA-1: 17a57b5fde2b5014dc421cd8365a917c09de80f0 SHA-256: 938694ffa32dce8357116f4eb33186eba1e55e0a5c0187ba5c1c580b7deae583

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The ClamAV heuristic 'Pdf.Dropper.Agent-8008918-0' and the presence of multiple external URIs indicate that this PDF is designed to act as a dropper. The embedded URIs likely point to further malicious content, such as additional PDFs or executables, intended for download and execution. The document body's content is largely unreadable due to truncation and encoding, providing no further clues about the specific lure.

Heuristics 3

ClamAV: Pdf.Dropper.Agent-8008918-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-8008918-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wrinkleddogs.com/uploads/1/3/0/5/130538997/zozaf.pdf
- http://midster.org/uploads/1/3/0/3/130379174/8007245.pdf
- http://galenetics.com/uploads/1/3/0/6/130604421/c1d316.pdf
- http://sstvipgroup.com/uploads/1/3/0/7/130775584/130775584.html#bootstrap+multi+file+upload+plugin

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001033.bin` `6d20c9c4a538a18c5f853ebf4c7ba527e04a6e6f7709af69ee4882e48b16700a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1033	9336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.