Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ee4f0f19cb35a73…

MALICIOUS

PDF

261.2 KB Authoring application: Skia/PDF m141 Google Docs Renderer
MD5: ef551f820c6542ee9bb2968ba2f9f736 SHA-1: 589f6a74ec3f031f574df4f01d2ef0a0f73fa98d SHA-256: 3ee4f0f19cb35a7359a428edb3f746576aad1a55b36db777eb6e52f8ca181db9
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains multiple invisible links designed to trick the user into clicking them, leading to a payload download. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' directly indicates this malicious behavior. While the extracted URLs are confirmed benign, the heuristic strongly suggests a malicious intent behind the document's construction. The document body itself is heavily obfuscated and does not provide clear textual lures.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.euromonitor.com/article/whats-next-for-coffee-shops-in-southeast-asia?utm_source=chatgpt.com
    • https://datareportal.com/reports/tag/Asia?utm_source=chatgpt.com

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002a7e7.bin
cbac2852574525e3d4a3eacf2409bf67db4715161bbe8aa4f0a8340515aec9f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A7E7 68272 bytes
font_01_sfnt_off0003565b.bin
3f27501f28a4d65876649519b05aa632c38010d83869afdd9f2f70d5acbdbc32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3565B 26140 bytes
font_02_sfnt_off00039657.bin
5ce562a3c5fefe9c5a3b42fcd14e05982db7684d51311658ff180418444fe430		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39657 26448 bytes
font_03_sfnt_off0003ba53.bin
bd9e83287b0d68b69d51ade3b1a6d88c9d79616100fdc6bf8b94f35bdafefa18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BA53 13508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.