Malicious PDF — malware analysis report

Static analysis result for SHA-256 601404a367761761…

MALICIOUS

PDF

534.5 KB Created: 2022-07-21 17:29:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.12.8)
MD5: 46a1fd9bc640ee11456d150eab640c8c SHA-1: c6099a563a3263fc9dcae75f1cb275c83e6ce8a0 SHA-256: 601404a367761761bf1d5dcb5e3ba4d3d00231a30925e32c0e14381ebbb725ed
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple invisible and repeated links pointing to a ZIP archive, which is a common lure for delivering malicious payloads. The ML classifier also flagged this PDF as malicious. The primary IOC is the URL hosting the payload, which is likely intended to be downloaded and executed by the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7256

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://stcdanismanlik.com/Update/UpdatePDF.exe
    • https://stcdanismanlik.com/Update/UpdatePDF.zip
    • http://hosting2022private.duckdns.org/eubp/example.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/id/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/

Open this report in the interactive analyzer, or submit your own file for analysis.