Malicious PDF — malware analysis report

Static analysis result for SHA-256 fea038c737906bb5…

MALICIOUS

PDF

3.4 KB Created: 2012-02-07 17:47:09 +16:00 Authoring application: RAD PDF (via RAD PDF 2.38.3.1 - http://www.radpdf.com)
MD5: deac8dd31795ef80c0521be70a6048c2 SHA-1: d71f07b324a49623ed8acffd4630b4399f9cec17 SHA-256: fea038c737906bb5bf71ab446e29d9b19f79306974a40deb7cb3637e8bd293a2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a ClamAV detection for Pdf.Dropper.Agent-7328955-0, indicating it's a known dropper. The document body presents a fake error message about a slow internet connection and prompts the user to click 'RELOAD'. This action redirects to a URL, http://office365.allbaba1.com/login_office.htm, which is likely a phishing page designed to harvest credentials. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier clean score 0.1234

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7328955-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7328955-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://office365.allbaba1.com/login_office.htm
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.