Malicious PDF — malware analysis report

Static analysis result for SHA-256 1916be2cfcaaa5cd…

MALICIOUS

PDF

113.1 KB Created: 2021-12-31 00:20:13 Authoring application: Pay Florida Toll Invoice gazette (via FPDF 1.82) First seen: 2026-06-22
MD5: 9bbb20dd7e59355c705799d910de298d SHA-1: 3f134977202c967567e800d6a324180e2650ec06 SHA-256: 1916be2cfcaaa5cd99d8060aa80833b4e93589153926c0d671c2556dd030e8b7
120 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 5

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • PDF carries SEO doc-farm redirector links (/pdf/<domain>) medium PDF_SEO_DOC_REDIRECTOR_LINK_FARM
    PDF contains clickable redirector links whose path ends in a bare website domain behind a /pdf/ or /doc/ segment (e.g. 'host/Document-Title-Slug/pdf/target-site.tld'), paired across both variants and/or alongside links into WordPress form-plugin upload storage. This is the generated 'free document/template' SEO phishing family: scrambled filler text plus links that route searchers through a redirector into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yoreparosavage.site/Pay-Florida-Toll-Invoice/pdf/nybventuresgroup.com In PDF document text
    • http://yoreparosavage.site/Pay-Florida-Toll-Invoice/doc/nybventuresgroup.comIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/automatic-renewal-clause-new-york.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/new-learner-licence-hyderabad-slot-booking.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/australia-travel-waiver-after-dui.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/charleston-south-carolina-business-license.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/sample-bylaws-for-llc.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/protocol-axis-rc-drone-where-is-battery.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/when-fructose-and-glucose-are-bonded-together-they-form.pdfIn PDF document text
    • https://nybventuresgroup.com/wp-content/uploads/formidable/8/apache-log-request-headers.pdfIn PDF document text
    • http://yoreparosavage.site/pay-florida-toll-invoice/doc/nybventuresgroup.comIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off0001b8a9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B8A9 76950 bytes
SHA-256: 43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c