Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f22e3f750d2f572…

MALICIOUS

PDF

10.9 KB Created: 2021-05-14 06:41:04 +02:00 Authoring application: PDFescape Online - https://www.pdfescape.com (via RAD PDF 3.19.2.2 - https://www.radpdf.com) First seen: 2021-09-22
MD5: 97612254d163b8d9e787fcfa639d98a9 SHA-1: 933c2e0f359f2a8a3795340913cf0fc7afa9c400 SHA-256: 0f22e3f750d2f572138116028779f4a3a1a0ad41d2a08a0c4e8df0babf77562a
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF is identified as an image-only document designed as a lure, containing a clickable action that redirects to a suspicious URL. The presence of mail merge placeholders in the URL suggests a phishing attempt to harvest user credentials or deliver further malicious content. Although no scripts were explicitly extracted, the PDF structure and embedded URLs indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier clean score 0.0147

Heuristics 4

  • Clickable URL contains an unrendered mail-merge recipient placeholder high PDF_URL_MAILMERGE_PLACEHOLDER
    PDF has a clickable HTTP(S) action whose URL still contains an unrendered mail-merge / recipient placeholder (e.g. '[[-Email-]]', '{{recipient}}', '%FirstName%'). A delivered legitimate link has this token substituted; an unrendered token means the document is a phishing-kit template that personalises a credential-harvesting link per recipient.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 10 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sharepointdocs329ebc36ab6c71ec88ae4615be41109e.s3.filebase.com/redirect.html?email=[[-Email- PDF link annotation
    • https://sharepointdocs329ebc36ab6c71ec88ae4615be41109e.s3.filebase.com/redirect.htmlPDF link annotation
    • https://sharepointft7e4615bbc36ab6ce41109e329e71ec88a.s3.filebase.com/redirect.htmlIn PDF document text
    • https://www.radpdf.comIn PDF document text
    • https://www.radpdf.com)/Creator(PDFescapeIn PDF document text
    • https://www.pdfescape.com)/CreationDate(D:20210514064104+02In PDF document text
    • http://www.dynaforms.comIn PDF document text
    • https://www.pdfescape.comIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.