Malicious PDF — malware analysis report

Heuristics 8

• PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
  PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
• Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
  Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
• ClamAV: Win.Exploit.IFrame-1 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Win.Exploit.IFrame-1
• Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
  Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
• Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
  Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
• Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
  PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.pentasafe.com

  • http://www.iponeverything.net/CodeRed.html
  • http://packetstormsecurity.org/distributed/cisco-newsflash.htm
  • http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
  • http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_ad\
  • http://www.incidents.org/diary/september2001.php
  • http://www.microsoft.com/security/tools/redfix.asp
  • http://www.securityfocus.com/bid/1806
  • http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
  • http://www.securityfocus.com/bid/2708
  • http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
  • http://www.microsoft.com/technet/security/bulletin/ms00-057.asp
  • http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
  • http://www.securityfocus.com/bid/1699
  • http://bugs.apache.org/index.cgi/full/543
  • http://www.netcraft.com/survey
  • http://www.microsoft.com/technet/security/tools/redfix.asp
  • http://www.microsoft.com/technet/security/tools/locktool.asp
  • http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
  • http://support.microsoft.com/support/kb/articles/Q164/5/39.ASP
  • http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
  • http://download.nai.com/products/mcafee-avert/NimdaScn.zip
  • http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.h\
  • http://www.cert.org/body/advisories/CA200126_FA200126.html
  • http://www.f-secure.com/v-descs/nimda.shtml
  • http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
  • http://www.microsoft.com/technet/security/topics/nimda.asp
  • http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf
  • http://www.microsoft.com/technet/security/topics/NimdaIE6.asp

Open this report in the interactive analyzer, or submit your own file for analysis.