Malicious PDF — malware analysis report

Static analysis result for SHA-256 78ae8f5302b095b9…

MALICIOUS

PDF

32.4 KB Created: 2023-03-02 06:51:01 -08:00 Authoring application: iTextSharp’ 5.5.13.2 ©2000-2020 iText Group NV (AGPL-version)
MD5: 90644754278ad579037ca3387147dc6f SHA-1: 306d714781d021269e28280c56a82360614ae2bc SHA-256: 78ae8f5302b095b964372b93c27874a23c0704f21bee6500ad350e9c4a748c4a
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file is identified as malicious by multiple heuristics and a machine learning classifier. It employs an image-only lure, a common phishing tactic, to conceal a direct link to a ZIP payload hosted on Google Firebase Storage. This indicates a clear intent to deliver a secondary malicious file to the victim.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8943

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • ClamAV: Pdf.Downloader.Iceid-9992787-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Downloader.Iceid-9992787-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 32 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://firebasestorage.googleapis.com/v0/b/tactile-carver-377705.appspot.com/o/4xZMTjhXB5%2FInv_03_02_Copy%23275.zip?alt=media&token=59298adb-1b81-4d2b-bceb-b695e601056b

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00000058.icc
43cdd2889d7e967a70e3688e45dc50c2f596288a4356b41234d247bbb69d5f30		 pdf-icc-profile PDF ICC profile at offset 0x58 456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.