Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2843c8ba0d30a19…

MALICIOUS

PDF

811.9 KB Created: 2010-08-17 21:09:01 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 32a82d082583a0dc8ad9ce1803f6ac69 SHA-1: 5ff1f7a536de1afca5b28343dc7e8b79a3bb872f SHA-256: b2843c8ba0d30a1961a0f1f17b3a2aa02ac96691312e5c155d0b74cb86906745
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a hidden HTML iframe, which is a common technique for redirecting users to malicious websites. ClamAV detected this file as Html.Spyware.IMG-7, indicating malicious intent. The embedded URL points to an external resource, likely used to host or deliver the malicious content. No scripts were extracted from this sample, limiting the analysis of its specific execution flow.

Heuristics 3

  • ClamAV: Html.Spyware.IMG-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Html.Spyware.IMG-7
  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.codeforum.cn/free/max1.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ba7c.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBA7C 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.