PDF malware analysis — malicious · 988d430ce0e9f196

MALICIOUS

PDF

38.6 KB

MD5: 85fe6932218236db4dbf9bedbf9a9dd6 SHA-1: 5af37d7501f9ea12f5d384ab3c58ba5f31c25f95 SHA-256: 988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The critical ClamAV heuristic indicates this PDF is a dropper. The SE_PAYMENT_REDIRECT_LURE heuristic strongly suggests a business email compromise (BEC) or financial fraud lure. The PDF_URI heuristic reveals an external URL embedded within the document, which is likely the payload delivery mechanism. The document body is heavily obfuscated, preventing a detailed analysis of its specific content, but the combination of heuristics points to a malicious financial lure.

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7285168-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7285168-0
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_cff_off000013c9.bin` `6db39fe1fc9fa7d77bf6c572894eb52cf6be89c0c86e905008a8d287b1bfdacf`	pdf-font-stream	PDF embedded font (cff) at offset 0x13C9	2567 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.