Malicious PDF — malware analysis report

Static analysis result for SHA-256 25c44f9f59e7e1d7…

MALICIOUS

PDF

112.9 KB Created: 2022-03-16 15:35:23 Authoring application: Outstanding School Fees Sample Letter filip (via FPDF 1.82) First seen: 2022-07-15
MD5: f77131ba955891b728b6d73f696fa020 SHA-1: e16c7773422b8911816a4df0cd69c33aaffefea2 SHA-256: 25c44f9f59e7e1d7f9670f56d1256f362b0f502b017735ae2a7c9991c84f2cd9
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded and invisible links, a common technique for luring users to download malicious payloads. The heuristic firings indicate that these links are repeatedly used and designed to deliver a payload, with the document itself employing a fake invoice or payment lure. The primary URLs identified are judgesclinic.site and eventsafetyplan.com, which are likely hosting the malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://judgesclinic.site/Outstanding-School-Fees-Sample-Letter/pdf/eventsafetyplan.com
    • http://judgesclinic.site/Outstanding-School-Fees-Sample-Letter/doc/eventsafetyplan.com
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/ciboro-judgment-and-sentencing-video.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/canadian-government-last-will-and-testament.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/epa-fines-and-penalties-sa.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/apex-legenda-leaver-penalty.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/pnc-mortgage-speedpay-page.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/impeachment-testimony-about-wire-fraud.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/direct-flight-from-penang-to-melaka.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/passport-renewal-post-office-hours.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off0001b787.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B787 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.