Malicious PDF — malware analysis report

Static analysis result for SHA-256 fba7abefc20ffdf9…

MALICIOUS

PDF

72.1 KB Created: 2017-11-13 17:44:03 -05:00 Authoring application: Microsoft® Word 2013
MD5: f1574f0517192940ee62b826fe930c38 SHA-1: 85f82bd96cb8d167c3a1a5b793e302e5abac6156 SHA-256: fba7abefc20ffdf92030ba4ccb59e1643e92b5abb8b27d72c18364f6a46b9957
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The file is identified as a PDF dropper by ClamAV. It contains embedded URLs pointing to external domains, specifically http://syellogid.info/hom/wait.php?stuff=v and http://nnonesetup23s.droppages.com/lab.html. These URLs are likely used to host and deliver a second-stage payload. The presence of these malicious links strongly suggests an attack pattern focused on redirecting the user to compromised or attacker-controlled sites.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7327555-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7327555-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://syellogid.info/hom/wait.php?stuff=v
    • http://nnonesetup23s.droppages.com/lab.html

Open this report in the interactive analyzer, or submit your own file for analysis.