Malicious PDF — malware analysis report

Static analysis result for SHA-256 7708585dee11d957…

MALICIOUS

PDF

10.2 KB Created: 2021-08-30 10:15:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 23e1c2fe548f57b2c9b74a5d26685a79 SHA-1: 6b1f93438eec2c6f7fc40f15f3de2108720db4c0 SHA-256: 7708585dee11d957995f515576e21f2fe71fcb5abb15414e86518287dd449f10
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF is identified as an image-only lure, containing a single non-reputable link to http://lorafrank.infomail222.ru. The document body contains text that appears to be part of the PDF structure rather than user-readable content, and no scripts were extracted. The ML classifier also flagged this PDF as malicious, supporting the conclusion that it is likely used for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5785

Heuristics 3

  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 10 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Image-only PDF lure with a single link to a non-reputable host medium PDF_IMAGE_LURE_NONREPUTABLE_LINK
    PDF is image-heavy with little real text and its only clickable action is a single external link to a host that is not known-good. This is the canonical malspam carrier shape — a screenshot-like 'click to view' page whose sole purpose is to funnel the victim to one redirect/landing URL on a compromised or throwaway domain. Flagged suspicious rather than malicious because the link alone (no shortener / typosquat / brand path) is the only corroborator beyond the image lure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lorafrank.infomail222.ru In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f42.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF42 14372 bytes
SHA-256: 073803de7bb0ddea89e919c39ebbdd6fe2ca9b61d7ca1b42d428683bb9a47022