Malicious PDF — malware analysis report

Static analysis result for SHA-256 96f70ba00d1e9ab0…

MALICIOUS

PDF

84.7 KB Created: 2017-11-14 14:20:06 UTC
MD5: 10322e009a5b99d9fe1cf5ee589c41ac SHA-1: a54f155540582b3b47688e4ca7b7269d47b92ccd SHA-256: 96f70ba00d1e9ab0cba8150626e361dc0ab9a484d5226130964f01cbb1b87035
166 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF was flagged as malicious by multiple engines, including a critical ClamAV detection for 'Pdf.Dropper.Agent-7284662-0'. Additionally, an embedded artifact was detected by ClamAV as 'Java.Trojan.Agent-36975'. The presence of embedded streams and XFA forms suggests an attempt to deliver or execute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5538

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-7284662-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7284662-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000007fd.bin
f0f8bacf863ecd57e28728c303a3ef64aaefc15907359ad207545e07bc8d788c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7FD 1605 bytes
stream_005_off00000b56.bin
647328532f72d587dcbe96c0b785daaebe90b7469ee224ef550ccd2d4cc80da8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB56 262816 bytes
stream_010_off000130bb.bin
7c8dbcdc200499f076f796cd6c5339a5082c82ede84d179d0670b4e57b21c1f4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x130BB 5124 bytes
Detection
ClamAV: Java.Trojan.Agent-36975
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.