Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8e1af3431f3c683…

MALICIOUS

PDF

411.0 KB Created: 2020-02-10 10:29:01 +01:00 Authoring application: Microsoft® Word 2013
MD5: a0dde5b89b3ac08a01555794d5b04ad5 SHA-1: a2033af1079eb4deaeffdf5dd7bc86cffb1cb98b SHA-256: e8e1af3431f3c68376cbd507bf8b4f7a5c0d88ce9ba92408e8fffba8f68cacc2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a heuristic indicating the use of a URL shortener, which is a common technique for obfuscating malicious links. The ClamAV detection further confirms its malicious nature. The embedded URL, http://bit.ly/2U8l7UH, likely leads to a second-stage payload or phishing page.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2803

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7598146-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7598146-0
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.ly/2U8l7UH

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000918e.bin
1fef1c5a7d721743c22d1878f3dfc6794e276aef1a534c0413822a64ba8ce4f0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x918E 575228 bytes
stream_003_off000393df.bin
46c61b44e7e1961007b9cd331b8049c440df6a4c32f77257b3cd39f0cadfdaae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x393DF 548888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.