Malicious PDF — malware analysis report

Static analysis result for SHA-256 4594ab93854f59d7…

MALICIOUS

PDF

376.5 KB Created: 2022-04-27 09:35:35 +00:00 Authoring application: PDF Expert 2.5.20 Mac First seen: 2022-05-05
MD5: 62610680349de97db658a7d41fc9a9b8 SHA-1: e7860d1faa381d6be9aca9138c8181ee86160242 SHA-256: 4594ab93854f59d72ac1231e379bd24abe92336e6808ab2ac0251e5db8704a57
92 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to a ZIP archive hosted on an IP address, which is a strong indicator of a malicious download lure. The heuristic 'PDF_DIRECT_PAYLOAD_LINK' confirms this, and the presence of a clickable URI pointing to the same IP address further supports this finding. The document body was not sufficiently readable to provide additional context, but the direct payload link strongly suggests the intent is to trick the user into downloading and executing malware.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2784

Heuristics 5

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://128.199.7.40/PATCH%20CVE00456-2022.zip
    • http://www.iec.ch

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0002074c.icc
73d504558e7d03ef4ff2676ba62c7553ee5bd856b45da2d330e33e012ad61fb3		 pdf-icc-profile PDF ICC profile at offset 0x2074C 4508 bytes
icc_01_off00021970.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x21970 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.