Malicious PDF — malware analysis report

Static analysis result for SHA-256 3034be4e75ba90f9…

MALICIOUS

PDF

106.4 KB Created: 2022-06-30 00:31:44 Authoring application: Verizon Upgrade With Contract tvtuner (via FPDF 1.82) First seen: 2022-07-15
MD5: d4454958a88ea555431a121947ae7590 SHA-1: 74654e9d7ca4436d7cef8751f270fae239e91d69 SHA-256: 3034be4e75ba90f9dbc2001b80bcf76c717afe44407a57b62bee2d588087faee
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains multiple invisible and repeated links pointing to external URLs, designed to trick the user into downloading a secondary payload. The embedded JavaScript stream, while not fully analyzed, likely facilitates the download and execution of this payload. The primary lure appears to be related to Verizon upgrades, leveraging a deceptive domain.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://onboardlookup.site/Verizon-Upgrade-With-Contract/pdf/dimplexthermal.com
    • http://onboardlookup.site/Verizon-Upgrade-With-Contract/doc/dimplexthermal.com
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/citation-for-equal-protection-clause.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/salesforce-marketing-cloud-email-specialist-certification-dumps.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/michaels-return-policy-without-receipt.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/big-bazaar-jeans-offer.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/london-chamber-of-arbitration-model-clause.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/presente-para-pai-de-primeira-viagem.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/changes-made-to-the-constitution.pdf
    • https://dimplexthermal.com/wp-content/uploads/formidable/13/search-master-writ-eso.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000020d3.js
b14c9cd30286e41b69ca1be12ede8c953e4d9b51f0371eac453b22be97a1b70d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20D3 4474 bytes
stream_015_off00019e60.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19E60 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.