Malicious PDF — malware analysis report

Static analysis result for SHA-256 b66634c388b0c39b…

MALICIOUS

PDF

122.0 KB Created: 2017-11-08 08:09:12 +00:00 Authoring application: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 (via Skia/PDF (via pdfcrowd.com))
MD5: b22d267b784d767e985b6c26629619ca SHA-1: bd497691fc0c7e7ac06bbd230d031f8da12e28c9 SHA-256: b66634c388b0c39ba90343d3e3aed30e96eeac5bb3ec2d67619f914bfe7b07b1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is identified as a malicious PDF dropper by ClamAV. It contains an embedded URI pointing to 'https://www.yalovio.com/ald/crypt/index.html', which is likely used to host a malicious payload or redirect the user to a phishing site. No scripts were extracted from this sample, limiting the analysis of its specific execution flow.

Machine Learning

  • Nyx PDF Classifier clean score 0.0007

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7216700-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7216700-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.yalovio.com/ald/crypt/index.html
    • https://pdfcrowd.com/doc/api/?ref=pdf
    • https://pdfcrowd.com/?ref=pdf

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000c89.bin
da96ef89a15ceb5d53d529fdff6a5207c8906f4d1ddce5f28e2d985fd6cdb135		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC89 36348 bytes
font_01_sfnt_off00005432.bin
7f69d3824f0b4055fa1f8c76108a673dbca24c53d7ccaf731e35e2c975487817		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5432 39676 bytes
font_02_sfnt_off0000a644.bin
43a7b9461600c8c76f4e6ec8c4c0ca9246496fdb80df3bc3944a0f35b18e2b17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA644 32864 bytes
font_03_sfnt_off0000e51e.bin
cc2a3e81aec678e8c2270d77784c90fde200d3d1bdfdd5e2e43fe33cde03c64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE51E 33644 bytes
font_04_sfnt_off00012291.bin
dcc4fc150b885f14d9236593ee632eb75c31d5b7c582754aea9fa8d3b055e22b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12291 41404 bytes
font_05_sfnt_off0001642d.bin
5899020b72e93d7a1a70881fbc31efe4ae0869002d6fb0e996eab25b3cde3653		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1642D 37076 bytes
font_06_sfnt_off0001aee5.bin
5091de8b5a8651ee3354927cb3e58ac938a47a05778b1c5b3dcda2384521acca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AEE5 21532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.