Malicious PDF — malware analysis report

Static analysis result for SHA-256 97c4216d0cc8ae64…

MALICIOUS

PDF

868.8 KB Created: 2010-05-16 12:17:17 Authoring application: Microsoft® Office Word 2007
MD5: 3dbdac3dd913801b257828139f736a69 SHA-1: fd5236761377d8be1be39109bc5de06b17c34828 SHA-256: 97c4216d0cc8ae64a671e093204ac246b94e16a4f02c97be4c2be1e51384cd53
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains embedded script payloads and external URIs, indicating it's designed to deliver further malicious content. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic suggests the document actively tries to trick the user into executing commands, likely to download and run a secondary payload. The 'SE_CALLBACK_LURE' heuristic points to a social engineering tactic, possibly a tech support scam or a refund scam, to elicit a phone call. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1828513 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1828513
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.antisecurity.org/
    • http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
    • http://www.learnphponline.com/security/sql-injection-prevention-mysql-php
    • http://www.enterprisenetworkingplanet.com/netsecur/article.php/3866756
    • http://7safe.com/breach_report/Breach_report_2010.pdf
    • http://www.owasp.org/index.php/Blind_SQL_Injection
    • http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection
    • http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=223100129
    • http://www.securityfocus.com/columnists/505

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ugroz_bezopas_v_TSA.doc
250ff87ba85b2cb7bd04c9e4442eb08f70d5c1d555347c16addaa0d05bda8cb0		 pdf-embedded-file PDF EmbeddedFile object 337 at offset 0xC80B3 234241 bytes
Detection
ClamAV: Doc.Dropper.Agent-1828513
Obfuscation or payload: unlikely
stream_024_off00028b01.bin
928a9ce82fc68142e44bb70ba16aa5cf633ac5075aa0a1759215329160bcd22f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28B01 175408 bytes
stream_026_off0003f564.bin
46a3ad95b7c6aef27486bb8761a0f3788b5eeed9977a873f101a480b5072f7dd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3F564 152664 bytes
stream_037_off000952d5.bin
7f97bd62b428c3005be3b45c9c7f1dc065ae71acbf9b34c0df0286e1a7597d23		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x952D5 94808 bytes
stream_038_off000a18e2.bin
d5e10e21e35ddcb9b27c25ecfb6835dbb7dfe585b0a557dc27b7024333035ca0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA18E2 47372 bytes
stream_040_off000a5607.bin
aaf6f546d687219a81e65fb1a99debb309bfecea4cb76256465cf3f54d97e6ab		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA5607 44004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.