Malicious PDF — malware analysis report

Static analysis result for SHA-256 ced930ccdffd4fbb…

MALICIOUS

PDF

40.8 KB Created: 2015-08-27 21:32:59 +03:00 Authoring application: 1 (via Softplicity)
MD5: 5d6a2ac9cfb396941acd344d039ea15d SHA-1: 08e8b388381f2d178d1c4d4316c3d3add8d42a29 SHA-256: ced930ccdffd4fbbdce17e036d3b359355c3b1511d06ee6dc1cba97471f09266
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document identified by ClamAV as Pdf.Dropper.Agent-7768311-0. It contains an embedded URI pointing to 'http://get.tomsorg.com/goto.php?q=2000's', which is likely used to download a secondary payload. The document body text is presented as trivia questions to disguise the malicious intent.

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7768311-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7768311-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://get.tomsorg.com/goto.php?q=2000
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00003578.bin
dc856c6c264184c050aebe5f766c048d4792571e3a7f6eeb8be7d00a87aeabc3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3578 20616 bytes
font_01_sfnt_off00006d3c.bin
e96beabf72847705901ab910e52c12a0c44653ad4677b14e6e8134de8c54a381		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D3C 17016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.