Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b08f916d1777323…

MALICIOUS

PDF

106.3 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2026-06-12
MD5: 1582a6996a3102b7be392ca07c849e52 SHA-1: d3793a6bcfc4922b9c8967c6d9c46113a4fadabc SHA-256: 1b08f916d17773232f29464e7ce6f9deb8785730adf9a0ea060cea003cc6ba08
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a lure suggesting the document is encrypted, with a deceptive link that begins with 'https.' to trick the user into downloading a secondary payload. The embedded URL, https://https.file-transfers.ancillarycheese.com/, is highly suspicious and likely serves as the download source for malicious content. No scripts were extracted, but the PDF structure and heuristics strongly indicate a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0141

Heuristics 5

  • Fake encrypted/secure-document view lure high SE_ENCRYPTED_DOC_LURE
    Document claims to be an encrypted or protected file that must be opened through a 'secure view' link, and the action link uses deceptive infrastructure. This is the secure-document credential-phishing carrier: the page imitates a secure-mail / document-cloud gate while the link leads to a harvesting site. action link host starts with a literal 'http(s).' label.
  • Clickable link host starts with a literal 'https.' label medium PDF_DECEPTIVE_SCHEME_HOST_LINK
    PDF contains a clickable HTTP(S) action whose destination hostname begins with a literal 'http.' or 'https.' DNS label (e.g. 'https.file-transfers.example.com'), so the rendered link reads 'https://https.…' and disguises the real registered domain as a secure service. No legitimate operator names a host this way — it is a URL-deception tell used by phishing carriers.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://https.file-transfers.ancillarycheese.com/XTjRpWE9qekxScytMQkdTcDlWK0k1NGRKcDJMckFqdTBjZ0hjN3NiaElyTVJoeVk1Z3ZZR3A1Wi9SeTBEdlRqdGFuK21lbENDc0VINENQYmsraFpYMFZaam5VbVJEY3hGUWFONHlpcXRpL2c5aFNoczZhWUxJS29iTERGLzdHdS9Jd0huTFpmbkV2aitKNmVjN2RmRDMwcDRXeWRxRnpCS3l0aW54eEZhTmQ4RGxHNWxwSTBGbndvbitZZjdRRm53Ry9Hbi0tRnczV3lBT2FxR0FvaTZ1di0tejBwVjE2ckhXS2hoMUZzNjlrWmxNUT09?cid=3051906875 PDF link annotation
    • https://https.file-transfers.ancillarycheese.com/XQ2FWUFE1YnVEUUlWRmt4RExXUmNrZUdVbDRSSk5lSTY5enNSbkYzM2xCNW1BS2NkclFGUGUraTM4R3dnN1V6M2pza0hMMWtjUlgwZDJVb1c0S29RRnFRVy9kUnRxSGU5TUx6OGZENkx2azk1b0MvWlhIQjFaYnRLdWhPM2U3aEpsZHd5M3B6WUZ6NmVlZ3RBN3ArWCtVQ1BCeWd1czRURzRHTWNCeTdwMTB6S2JtVU5WeXNwSjVORFRodjQ2OG9Vc2NtNS0tM2gzSlpZWlZ6UHN2VXZDUi0tTjVNTk8wS04yUDFBa1BqanNIVnJ5Zz09?cid=3051906875In PDF document text
    • https://https.file-transfers.ancillarycheese.com/XMzRZcEY2SGtpZFVYamxrZVliSmt0NmtyN1hPY28xbTIyZTVmdk1yb3k0WG1DbzVKTmVWY0IydURxN0VBNHRhUGpBcXZIb2c4dlBEMnZ3RWtZZCt6UGhESkJJblRjejc5M2I4RTNDY0wrUmNpT1VrTEQ3ODAyZXVMMUU0MHVRZFloWnNhamEzcnhpRnBvanRhSnRJR1RiSXRCbXZVZjB2d2M0MEsyZ25XVHV6Q0tRcG1XdVRiQnlvM3ZtNUY4OWF2UUpKMC0tbFUvZmJURXpwblRBVDFkUC0tV1BSU1JxTGVVdE11WkEyODVHaG8wZz09?cid=3051906875In PDF document text
    • https://https.file-transfers.ancillarycheese.com/XTjRpWE9qekxScytMQkdTcDlWK0k1NGRKcDJMckFqdTBjZ0hjN3NiaElyTVJoeVk1Z3ZZR3A1Wi9SeTBEdlRqdGFuK21lbENDc0VINENQYmsraFpYMFZaam5VbVJEY3hGUWFONHlpcXRpL2c5aFNoczPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00019235.bin pdf-font-stream PDF embedded font (cff) at offset 0x19235 4575 bytes
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0

Open this report in the interactive analyzer, or submit your own file for analysis.