Malicious PDF — malware analysis report

Static analysis result for SHA-256 36779d8a4aa2ca6a…

MALICIOUS

PDF

91.4 KB Authoring application: Haru Free PDF Library 2.4.0dev
MD5: 7b16071936c58420c62b8fc338c9cf30 SHA-1: 7b7707e6858099681636199c63b762d0f2aeece8 SHA-256: 36779d8a4aa2ca6af25ba9a98aabbb3ca7999071d1e5b0024b41df4f438d311f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was identified as an image-only lure with an action trigger, a common phishing technique. A high-severity heuristic specifically flagged an escaped URI within the PDF, pointing to the domain 'xephankhoilon.vn'. This URL is the primary indicator of malicious intent, likely serving as the destination for the phishing attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0689

Heuristics 2

  • Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE
    PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 91 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000daea.bin
5c643a10ed07ee166cae686ce01c4408e2e3717a17023dfb80638b3379ab4dd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAEA 91955 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.