Linux Analysis Report
eicarINFECTED.pdf

Overview

General Information

Sample name: eicarINFECTED.pdf
Analysis ID: 1523490
MD5: 911dd1610034027a924387d42f56bdf0
SHA1: 6ce8d59428b6a646ac5eb440b540e8984ece5b08
SHA256: 4daf4edbb04383b93094e89636f303bb11ab687636a4d40813e930c213c3b513
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Creates hidden files and/or directories
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: eicarINFECTED.pdf ReversingLabs: Detection: 83%
Machine Learning detection for sample
Source: eicarINFECTED.pdf Joe Sandbox ML: detected
Source: recently-used.xbel.HYI2U2.38.dr String found in binary or memory: http://freedesktop.org
Source: recently-used.xbel.HYI2U2.38.dr String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.HYI2U2.38.dr String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Document contains embedded VBA macros
Source: recently-used.xbel.HYI2U2.38.dr OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: recently-used.xbel.HYI2U2.38.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engine Classification label: mal52.linPDF@0/2@0/0
Creates hidden files and/or directories
Source: /usr/bin/exo-open (PID: 4791) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/exo-open (PID: 4791) Directory: /home/james/.cache Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4799) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/evince (PID: 4816) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/evince (PID: 4816) Directory: /home/james/.Xauthority Jump to behavior
Source: /usr/bin/evince (PID: 4816) Directory: /home/james/.Xdefaults-ubuntu Jump to behavior
Source: /usr/bin/evince (PID: 4816) Directory: /home/james/.cache Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4835) Directory: /home/james/.Xauthority Jump to behavior
Source: submitted sample Stderr: ** (evince:4816): WARNING **: Unimplemented action: POPPLER_ACTION_JAVASCRIPT, please post a bug report in Evince bugzilla (http://bugzilla.gnome.org) with a testcase.: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/exo-open (PID: 4791) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4799) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/evince (PID: 4816) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4835) Queries kernel information via 'uname': Jump to behavior
windows-stand
No contacted IP infos