Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b2721a0baccdbc5…

MALICIOUS

PDF

75.9 KB Created: =Â1²ßæÙN)2‹¿h4?žfè Authoring application: n“sìI  @_KoÌèp-7‡
MD5: 9b3abbd3f5d234526be8f63d0bc8890f SHA-1: 48c601b7137a1a1218ef107f153c878b38be34ef SHA-256: 0b2721a0baccdbc51eb6ebfaea30cda037d11c848396e816f7ef31b8d23012d5
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF is encrypted, preventing static analysis of its content, and contains heuristics indicating it's an image-only lure with a click-outward action. It also explicitly instructs the user about a password-protected archive, a common tactic to bypass gateway security and deliver malware. The benign URLs extracted do not contribute to the maliciousness assessment.

Machine Learning

  • Nyx PDF Classifier clean score 0.0009

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 75 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.samsung.com/sec
    • http://www.microsoft.com/typography/fonts/
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
    • http://www.microsoft.com/pki/certs/CSPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://www.microsoft.com/typography

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e062.bin
cfa51b0084df9246c62451049f83186d8a15511add5e919fdbfcd0f2e7134335		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE062 48984 bytes
font_01_sfnt_off00010971.bin
8ae980b2e30d6d737d22532c21398649f0fa08925859686a0b949baf1b283e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10971 261876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.