PDF malware analysis — malicious · 0062742b752ac42b

MALICIOUS

PDF

153.7 KB Created: 2023-02-27 17:38:35 -01:00 Authoring application: ReportLab PDF Library - www.reportlab.com

MD5: e4bfb0cd8422d9cf5d43335b1d5395ec SHA-1: 6211440acc7666f8b0453f538fb823ea64a3eb31 SHA-256: 0062742b752ac42b2812ee2670b18943322856268c8d3e23e7f97656bd41969e

94 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link

The PDF contains a direct link to an executable file, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. The ML classifier also flagged the PDF as malicious with high confidence. The embedded URL points to a .exe file, indicating an attempt to deliver a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9466

Heuristics 3

PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK

PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://rheumatoidarthritis.xyz/QU-26469592.exe
- http://www.reportlab.com
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Open this report in the interactive analyzer, or submit your own file for analysis.