PDF malware analysis — malicious · 12d0fdbf2fbac76a

MALICIOUS

PDF

31.9 KB First seen: 2022-04-14

MD5: b58d78e4b4ff2f0e6c10b91ac58c6c31 SHA-1: ef6ae7012aaa192978ca67b8746b67464e526d3e SHA-256: 12d0fdbf2fbac76a12556a530aef1b12aed3489893d035a988ae1e72243021fe

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file is identified as an image-only lure, typical of phishing campaigns. It contains an embedded URL pointing to a file-hosting service, likely intended to deliver a secondary payload. The heuristics indicate a deliberate attempt to trick the user into downloading a file via a call-to-action button.

Machine Learning

Nyx PDF Classifier clean score 0.0004

Heuristics 4

Image/button lure links to file-hosting download high PDF_FILE_HOSTING_DOWNLOAD_LURE

PDF is an image-only or near-image-only lure with a clickable action to a public file-hosting download endpoint. This is a common malware delivery pattern: the visible page is just a screenshot/button, while the real payload is fetched from the external hosting service.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 31 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.mediafire.com/file/aqxby03f1fwjw5q/4.ppam/file

Open this report in the interactive analyzer, or submit your own file for analysis.