Malicious PDF — malware analysis report

Static analysis result for SHA-256 48eacba8ee92bd06…

MALICIOUS

PDF

111.5 KB Created: 2023-05-24 12:47:00 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 6ce492dc18f47dd32ad5183d2074831f SHA-1: 34cec6b18bacde847dae4ecbb0b525f658d3c189 SHA-256: 48eacba8ee92bd063cf9357f2bc8728d8eaf017c3daf066b9f45c8c4c08c6f95
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains a direct link to an executable ZIP archive, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. The embedded URL, https://gurumasport.fr/rxomzbptfg/rxomzbptfg.zip, is the primary indicator of malicious intent, suggesting a downloader or exploit delivery mechanism. The file's structure and the presence of a suspicious link strongly indicate an attempt to trick the user into downloading and running a malicious payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0106

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gurumasport.fr/rxomzbptfg/rxomzbptfg.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_017_off0000ae18.bin
7d6e8c2f330606eed50b77d2299e1abe1b09c84bdf7713fcdfeee2855ffee3e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAE18 4581 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_00_cff_off00000512.bin
321e7c1033e1f2d21a39e55764be64c5b600a25ef08997d0815b6c94fe4f25cf		 pdf-font-stream PDF embedded font (cff) at offset 0x512 2587 bytes
font_01_cff_off00002a37.bin
a121fcfe8f2debd62f29a88e36180bb1f27d522d5811ab4a206e38f7c51217b8		 pdf-font-stream PDF embedded font (cff) at offset 0x2A37 539 bytes
font_02_cff_off00004759.bin
edb617c123f49533789229e253b0ed4b762c942ee8b361ae2a51c5de64c039f5		 pdf-font-stream PDF embedded font (cff) at offset 0x4759 539 bytes
font_03_cff_off00006486.bin
b0f74c1d3f8de6411025fe4536ea7097b9f7300348af5ef4c63b64681bbab0e5		 pdf-font-stream PDF embedded font (cff) at offset 0x6486 1340 bytes
font_04_cff_off000084f7.bin
4beb162a087c3d536cd5bb4547f88d8a2c31f3c9acdb8c0c6d6e9501472d7bff		 pdf-font-stream PDF embedded font (cff) at offset 0x84F7 3578 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.