Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bb6e32488bfdf8f…

MALICIOUS

PDF

39.1 KB Created: 2015-12-17 22:57:04 UTC Authoring application: Nitro Pro
MD5: 1a1b9cac261e33cbee61af47d0475e6e SHA-1: 9190e1b5667f51f0e160dc320b2aa9b1704e534d SHA-256: 9bb6e32488bfdf8f2fb0ce9ffd4b86738cb283a850b624c0eac57efd8b2af629
210 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF is structured as an image-only lure, designed to trick the user into clicking on an invisible link. Multiple heuristics indicate the presence of repeated, invisible payload links pointing to the URL http://madbodenhh.dk/Adobe/P-Order-98543.com. This URL, along with other unknown reputation URLs, suggests a phishing or malware distribution attempt. The ClamAV detection and ML classifier further support the malicious nature of this PDF dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8784

Heuristics 5

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • ClamAV: Pdf.Dropper.Agent-7286291-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7286291-0
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 39 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://madbodenhh.dk/Adobe/P-Order-98543.com
    • http://stevedalestudio.com/wp-content/plugins/
    • http://the-hamilton.co.za/wp-content/themes/
    • http://tigerfishfrenzy.com/error/adobe
    • http://tigerfishfrenzy.com/2aboutus_files/rae/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.