Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d769af38bea969c…

MALICIOUS

PDF

136.1 KB Created: 2023-01-12 07:10:49 -08:00 Authoring application: iTextSharp’ 5.5.13.2 ©2000-2020 iText Group NV (AGPL-version)
MD5: 1aaa86ed07b42bad2787fa25011e9e5a SHA-1: 2d01f27a42b2aef8fc0664d593d67a08f9ec94ae SHA-256: 1d769af38bea969c00501ff64b51f4e4fd2de2bedc7785b3471b7d12765c1a7d
170 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9619

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • ClamAV: Pdf.Trojan.IcedID-9983378-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Trojan.IcedID-9983378-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 136 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://firebasestorage.googleapis.com/v0/b/cobalt-nomad-372419.appspot.com/o/OwSq1IMH1D%2FDocument_224_Copy_01-12.zip?alt=media&token=aa49349f-ed98-456b-85c4-ce74daf4a0e3

Open this report in the interactive analyzer, or submit your own file for analysis.