Malicious PDF — malware analysis report

Static analysis result for SHA-256 25e34b5f6fd9369c…

MALICIOUS

PDF

61.0 KB Created: 2018-06-26 19:35:47 Authoring application: Qt 5.5.1 First seen: 2021-09-27
MD5: 6b8509a143f8309981a6556cf4a7e23e SHA-1: d5d6f9c20b38e68374a1b1414d34945722e8bf70 SHA-256: 25e34b5f6fd9369c5283d8233d8faef6242215a46359b30bf03bcd8c006f8452
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple invisible links pointing to external URLs, designed to trick the user into downloading a payload. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' directly indicates this malicious behavior. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier clean score 0.0039

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blisinrica.newsbyme.ru/?dt&keyword=omegle+prank+video+download&charset=utf-8&source=weebly.com In PDF document text
    • http://blisinrica.briz-motors.ru/?dt&keyword=omegle+prank+video+download&charset=utf-8&source=weebly.comIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c25f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC25F 12960 bytes
SHA-256: 3cf47e51f62b3d3bce5b83fb336001bea2097a7488aff1be939b0480cd610240
font_01_sfnt_off0000eae5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE5 1440 bytes
SHA-256: 618532b2b63605606933cfd58ddc9c315380c32578cccb08d7e0d56cac08e209