Malicious PDF — malware analysis report

Static analysis result for SHA-256 27639e54dbf0bfeb…

MALICIOUS

PDF

114.1 KB Created: 2022-03-12 23:01:28 Authoring application: Signature With S Letter txnm (via FPDF 1.82) First seen: 2022-07-15
MD5: e9f8aca31fbd97d809fc8f0e1f965fb0 SHA-1: e8ac486e5de4d2146a4fa0710c7fcc82a4baac36 SHA-256: 27639e54dbf0bfeb65b63a544cf2a5338d032bdf5a959e9eb6d5acf1e56ef535
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains multiple embedded links, with several heuristics indicating a lure for fake invoices or payment requests, and a critical alert for repeated invisible payload links. One heuristic specifically mentions a 'Recovery secret / private key request', suggesting the document attempts to phish for sensitive credentials. The presence of embedded JavaScript further supports the possibility of malicious actions being initiated upon interaction with the document.

Machine Learning

  • Nyx PDF Classifier clean score 0.0007

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://judgesclinic.site/Signature-With-S-Letter/pdf/eventsafetyplan.com
    • http://judgesclinic.site/Signature-With-S-Letter/doc/eventsafetyplan.com
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/sample-memorandum-of-understanding-for-independent-contractors.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/you-require-permission-from-trustedinstaller.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/rodan-and-fields-multifunction-eye-cream-instructions.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/impeachment-testimony-about-wire-fraud.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/writ-of-distress-procedure.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/eastman-outdoors-jerky-cure-instructions.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/child-custody-and-visitation-questionnaire-iowa.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0000322b.js
780083d6d99dcb2c7d11be5420ec2f7acb9f484db2b443fc933aaf9e2370e2a9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x322B 4951 bytes
stream_020_off0001bc7d.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BC7D 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.