Malicious PDF — malware analysis report

Static analysis result for SHA-256 36caf3ba9df00968…

MALICIOUS

PDF

192.3 KB Created: 2025-10-24 20:42:33 +08:00 Authoring application: WPS 表格
MD5: c7b70fe9934ac158399a312da9b2ef95 SHA-1: bf3932381399f2c3775198ed9ca290078ac19034 SHA-256: 36caf3ba9df00968517e783cc25747cb9e1b0c30124c1f6d75bf2341f98f4c7b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link

The PDF contains an embedded link pointing directly to an executable or archive payload, identified as 'Tax Payment Notice.zip'. Additionally, another external URI 'http://www.itdd.club/' was found. These indicators suggest the document is designed to trick the user into downloading and running malware. The PDF structure and embedded links are consistent with a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.itdd.club/
    • https://storage.googleapis.com/ydhhs/Tax%20Payment%20Notice.zip

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001f8b7.bin
64f1e723d2d6fa70a2e1d87ea124a54ea6254d3a568de689ac51ed8095f07ab7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F8B7 241148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.