PDF malware analysis — malicious · 9e387f718c77a190

MALICIOUS

PDF

109.4 KB Created: 2016-03-07 09:21:25 -05:00 Authoring application: Microsoft® Word 2013 (via Neevia Document Converter Pro v6.7 (http://neevia.com))

MD5: 421654d9fe36544ee65ca8ba531ba2db SHA-1: ef8327a22e46e6900453ef7a5ee8b45ca5803315 SHA-256: 9e387f718c77a190e6b146c1219e5dc7b4cf6036a7dd40966cd682d8f2d5119b

92 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.002 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV and a machine learning classifier. It contains an embedded URI pointing to 'http://wohabatige.jimdo.com/', which is a common indicator for malware delivery. The PDF structure and heuristic firings suggest it's designed to exploit vulnerabilities or trick the user into downloading further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.8054

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7287169-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7287169-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://neevia.com\))/CreationDate
- http://neevia.com
- http://wohabatige.jimdo.com/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_000_off00000380.bin` `9cbbd840444790f17becddcb0253941f47f536fbc6f1dcd2002903a00037c466`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x380	221388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.