Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc05176391bbddd3…

MALICIOUS

PDF

110.4 KB Authoring application: HiQPdf 10.15
MD5: 30f20015784c01b48dc1e1de1105f9a0 SHA-1: fb4f38f1f461f0e62ce51dd8f6cf617f9d7ac9bb SHA-256: dc05176391bbddd31092037d5a3b6c3a6641986f1a27bf40d2bc79d1304e71b6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The file is detected as Pdf.Dropper.Agent-7312471-0 by ClamAV. It contains multiple embedded URLs pointing to the domain www.roaldtransport.pe, which are likely used to host malicious content or phishing pages. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document may contain instructions to execute commands, potentially leveraging the embedded URLs to download and run additional payloads. The presence of these indicators strongly suggests a malicious dropper or phishing campaign.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7312471-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7312471-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.roaldtransport.pe/.cssd/Outlook/office/login/#
    • http://www.roaldtransport.pe/.cssd/Outlook/office/login/office.php?cmd=login_submit&id=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7&session=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7#close
    • http://www.roaldtransport.pe/.cssd/Outlook/office/login/al.php?cmd=login_submit&id=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7&session=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7#close
    • http://www.roaldtransport.pe/.cssd/Outlook/office/login/othr.php?cmd=login_submit&id=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7&session=bc2b13966f9d94725af4a331362aefc7bc2b13966f9d94725af4a331362aefc7#close

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001713d.bin
7a785ed383632b26ddd67d51d7e4e16aa9b7cda55a6c0b7212e611e26cefd962		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1713D 39848 bytes
font_00_sfnt_off0000d4bd.bin
7abcfacaa03bcd6a8da3e9f733f90c0e38b1e9dc031fe7900272d03f5398a4ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4BD 45444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.