Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb3afac53850d5e9…

MALICIOUS

PDF

484.5 KB Created: 2017-11-21 11:26:36 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com)
MD5: 53aad17616f3e7f1fde3a9ef4163a5b5 SHA-1: 4ccb7e67351bb448f2fdbd8c48da2617a0819a8c SHA-256: fb3afac53850d5e99e03724252ed1bd376f5c71f29056b8d22fbff904568a0f7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains an embedded URL that utilizes a URL shortener, indicating a redirection to a potentially malicious site. ClamAV detection as Pdf.Dropper.Agent-7327365-0 strongly suggests malicious intent, likely to download and execute a secondary payload. The use of a URL shortener is a common tactic for obfuscating the final destination of malicious links.

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7327365-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7327365-0
  • Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK
    PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ow.ly/gI2v30gIxhr

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00021f48.bin
e510393c444498094688d5fe47bbe13b3c547fd9c2c7b710adff7aa628cb4047		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21F48 332744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.