Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc97fa47eddeb507…

MALICIOUS

PDF

450.1 KB
MD5: 642daf14dbdccdcdb1d4344c77c3d1bf SHA-1: 7ac544398180c1f03e9a6e1d0cfccbbab1a24add SHA-256: fc97fa47eddeb5076c41dad676559a7c5be5baaeac2e64cdb869bcb5bfc90abf
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF contains embedded files, specifically other PDFs, which is a common technique for delivering malicious content. The ClamAV detection 'Pdf.Dropper.Agent-7327950-0' strongly suggests this is a dropper. The embedded PDFs themselves have suspicious static findings, indicating a multi-stage attack. No document body text was available for analysis, but the embedded nature and dropper heuristic point to a payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.0876

Heuristics 5

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • ClamAV: Pdf.Dropper.Agent-7327950-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7327950-0
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
tool___e11---alert_one---nest--5-only-text-long-doc.pdf
5251fb84c726fd0634d0608b76487c4df7593fdd7f0ba1514a2d2216e470f3a5		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA53 114980 bytes
tool___e11---alert_one---nest--5-only-text-long-doc_1.pdf
04a485d580e84ae2392136008a14f7fe766d0e876009b93929b0a0e9985d893b		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 201351 bytes
tool___e11---alert_one---nest--5-only-text-long-doc_2.pdf
4c69081325d036d3762f5a873493ca002ea0f2caab09353059e7d2698f9feb5e		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 287873 bytes
tool___e11---alert_one---nest--5-only-text-long-doc_3.pdf
9ea2d1a74c7c49dc536b0bee8df5f6504c944d88bf23cddbe16050bbe8ca08cd		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA54 374419 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.