Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d289ff40865799c…

MALICIOUS

PDF

106.4 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2026-05-10
MD5: 0853237992f484185cf57b710d173170 SHA-1: bc89a259cbe6a7b24b462bf84e28eace4afd9345 SHA-256: 2d289ff40865799ce9176c213d94d943e6dd073d2be1bfec98dd092e2700f03f
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple high-severity heuristics indicating the presence of algorithmically generated URLs, which are likely malicious. The heuristic 'ARCHIVE_ENCRYPTED_SUSPICIOUS_DELIVERY' suggests a password-protected archive containing a suspicious payload, further reinforcing the malicious nature of the file. The document likely aims to trick users into downloading malware via these deceptive links.

Machine Learning

  • Nyx PDF Classifier clean score 0.0141

Heuristics 5

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Suspicious payload delivered in a password-protected archive high ARCHIVE_ENCRYPTED_SUSPICIOUS_DELIVERY
    The archive was password-protected (opened with a common malware-analysis password) and its extracted content is independently suspicious. Password-protecting the wrapper is a deliberate mail-gateway / static-scanner evasion; combined with suspicious content this is the standard malspam delivery pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://en-us.secureconnection.moneytransaction.kb4.io/XT3JFayt0STQ2TlVuc1ZhNFZiRUxpZjlhYnVPamh2K09XOC8rSzBNZlJVS2JhQlpXUEd3L1FaZUsrYUIwbmppTFNtUHM5Q2EvVlhGb0RENkRkaUV6cDM1RTVCSGhUcVRxUFdVQUErdTZGN2k2YTZTYXBJSDJ3Mk0rK0tIc1N5STIxc1A0cGQrOFNMZmZhU0R4dFpERkk0dFR4NmxDeGpmNmlzSmVJaEtUUlMvN1l5VllxWVduQU9vc1k3S3RVb3grNWowbU9OOWQyZCt4UW10VFNURDc5Q1lIV1NvSmdZZz0tLUZoT1ByamdBeldUUXA1VnUtLVF5K216am1XUGY5RURHVEFKalZaVVE9PQ==?cid=2963249024 PDF link annotation
    • https://en-us.secureconnection.moneytransaction.kb4.io/XVXhuT0krdXkzdzgrWDlNSGdiS3owcTM5eTBmMjJHOGk5N0Z0UlRRUE5pRllpckNubkJxUnp2MjdyNlJaRkVaVFJPdnY4YnN6TkxYK0tGdmJoTzNCNThUcHU3WVBLcHdna1dkdTh2d003V1V5S3gvUVc1bzRsM0VZSVovT244YU9XNDBWa1RjeXQ0Wk1iUFFSdlFNUDQ0OHF6YS9EMUxTdHZBdTBHeElNZ0ZSUGRlN1F0UkhSVVVqQjkwWHNkaWtvVXgweFlsSmhQd1dzbGV4MzljczhkaWRnSDQ2OTZKQT0tLUpidGwyTHBYS0xrQ0dUbTItLXlmd3E0R2czRWUyODl3Qm9BRE5zTlE9PQ==?cid=2963249024In document body
    • https://en-us.secureconnection.moneytransaction.kb4.io/XblNIdVlLdmZla01MdTVwYVQydG5WNUpSY0RtK0lKLzk0TlBWUnZnT2xKem95Qm1NenZiclJSU0JyRVN4Zy9IRU41dXBtN3lZSWVrbWhLODJEak9oR2lscEQyS3JzT3hEWnhWZ1NmTE9ZZUo1d3prZmhKeEIxaDhjVGttTFhXY1RCTTd0MnJoZHUrbGx4SnRJY0xXZ0RqbWhkRE9QN2tacjFnZjErSnl6bXhlRzVQRWcrdlVLSmNtYzNCcVE4Mk1UUFg5L01hcUYwdlZ0b2VYRHFBM1JGYTJQU3Fla2Q3Zz0tLXk5clBLeUxEN0lrTlJvWlYtLTgyTE1tY0QwbE1nNnBvcWNIeEJ0Z1E9PQ==?cid=2963249024In document body
    • https://en-us.secureconnection.moneytransaction.kb4.io/XVXhuT0krdXkzdzgrWDlNSGdiS3owcTM5eTBmMjJHOGk5N0Z0UlRRUE5pRllpckNubkJxUnp2MjdyNlJaRkVaVFJPdnY4YnN6TkxYK0tGdmJoTzNCNThUcHU3WVBLcHdna1dkdTh2d003V1V5S3gvUVc1bzRsM0VZSVovT244YU9XNDBWa1RjeXQ0Wk1iUFFSdlFNUDQ0OHF6YS9EMUxTdHZBdTBHeElNZ0ZSUGRlN1F0UkhSVVVqIn document body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document body
    • http://ns.adobe.com/xap/1.0/In document body
    • http://purl.org/dc/elements/1.1/In document body
    • http://ns.adobe.com/xap/1.0/mm/In document body
    • http://ns.adobe.com/tiff/1.0/In document body
    • http://ns.adobe.com/exif/1.0/In document body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off000192bf.bin pdf-font-stream PDF embedded font (cff) at offset 0x192BF 4575 bytes
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0