PDF malware analysis — malicious · 43a19ec248f9323a

MALICIOUS

PDF

34.9 KB Authoring application: Haru Free PDF Library 2.4.0dev

MD5: 4ed79349cb45ab64910907241dc6c345 SHA-1: e0f04517ac8698bffd0592117009c650967152e3 SHA-256: 43a19ec248f9323a2725c21f4def3f45a08640379a403c144d1bee8b388878ec

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF is heavily image-based, a common technique for phishing lures. It contains a clickable URL that is obfuscated using PDF string escapes. The heuristic 'PDF_ESCAPED_URI_IMAGE_LURE' indicates that the URL http://technologius.com/wp-includes/ID3/xl/ is hidden within the document, likely leading to a malicious site.

Heuristics 2

Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE

PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 34 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006773.bin` `31a1a6e80dc4f98e2f83229f84c3e64f7c7e1c1208d918e5b20054e6a21f4528`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6773	13443 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.