Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9c91ab63d58bd23…

MALICIOUS

PDF

46.3 KB Created: 2017-11-26 18:42:57 +00:00 Authoring application: Microsoft® Word 2016
MD5: 66a5b549d2f13ca296a15ec60d7cb5ca SHA-1: d81abbd5c168f6227ef4c4fab37dc3fa0a3e0b3d SHA-256: a9c91ab63d58bd23e3eca7e9ea07b05112843298c2c26313ced5ebf344450901
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains heuristics indicating it is a dropper, and it embeds a URL pointing to 'www.dhl.cn', suggesting a phishing lure related to package delivery. The ClamAV detection 'Pdf.Dropper.Agent-7291196-0' further supports its malicious nature. The embedded URL and the nature of the ClamAV detection indicate the file is designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0004

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7291196-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7291196-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dhl.cn/
    • https://cutchi.or.tz/vel/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.