PDF malware analysis — malicious · ca938cd5f2ac9841

MALICIOUS

PDF

811.9 KB Created: 2010-09-14 22:07:39 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: da6a6493c36439fb4cb9cf4c7e8831b0 SHA-1: d4d4217fc544e1eee0e21fcbe0cecd3b2fd92ba9 SHA-256: ca938cd5f2ac98417832eae31be36b6f13787fbe340fea5f5d21fde3128adea8

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a hidden HTML iframe, which is a common technique for redirecting users to malicious websites. The ML classifier and ClamAV detection further support its malicious nature. The embedded URL points to a suspicious domain, likely serving as a lure for further compromise. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Machine Learning

Nyx PDF Classifier malicious score 0.9851

Heuristics 3

ClamAV: Html.Spyware.IMG-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Html.Spyware.IMG-7
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.codeforum.cn/free/max1.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off0000ba7c.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xBA7C	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.