PDF static analysis report

Static analysis result for SHA-256 7ceba060b74ee519…

SUSPICIOUS

PDF

106.4 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2026-05-10
MD5: 25dce01fcbf461b34cbf1e8d81d98ded SHA-1: 462226e77c8b2fd7703bad3f1b3bdee613e73a7f SHA-256: 7ceba060b74ee519dd3ff0447a490c99984e18baacfa543df5002765e28668dd
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to an algorithmically-generated URL, disguised as a download button, which is a common lure for phishing or malware delivery. The presence of a suspicious, password-protected archive further indicates a malicious intent to deliver a secondary payload. The URL is obfuscated via a safelinks redirection service.

Machine Learning

  • Nyx PDF Classifier clean score 0.0141

Heuristics 4

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XblBzOUhKNEpyZjV3anpuc3BqNklSTnMxYVBoM2lPQmZwU1hpMWNwS1drT25DampYZWdWVlRJaHlHNzhFOUkyaXhvRXBXNFp0T3RNME9WdUEyUlg4R0ZWcDFPdmRvZHJUbmJYZVNZWEw1U2NmVGwzbjFQZDVwRktDeTFYaWk4a2o4Q09IU0ErTlpRYjRLMDNlbXZtV0RhcWhaci93dGU4TXlNRSswUDJOWTFENzVLenpxN0pNa0FHcnRPV0xjb0xLWjNjSE93PT0tLVRRQ1RuT09vOHJ6K0xzOTAtLWZyZm80cmxkU1lVNDNkamo5cVY5VUE9PQ==?cid=3004356541 PDF link annotation
    • https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XM2llcXhISHB6aGsveXdUcmJKeCtWbjJkbzIvcllZNFZDakNhZG9ITXdLbm5INysvNGx2ZGoraktaU2xua2VaaVhwWnVibDZKcHQvd1VTV0hZSmpmRWlZdGVWZUw5ZEk5MTAzWFF2UUFZd0lOVk95N3o2WTg0UUNHV2h6MTg3YndOOWg2UjFVckFrWHE2NlI2b3RJSTNBQWdmbVRoemo3RXlCSTZhdkxYZzZvaENqNlcrbFV1M2RQRVVsekhXRzV6Q0Z2b0VRPT0tLWllUkNSWGQrdXBwTkhpOHAtLTJjTlBKYjVUTngrbi9jRUZrR2JJcFE9PQ==?cid=3004356541In PDF document text
    • https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XU0Vtb0lqM3lqd3ZtVzFHSFRVZnhEOVE1bGVrcllsb3k0Z0JUWmx0UDlMU0pSYUZhdkEvWjd6N1dVdU9CZXI0THAyYnhWRS9McDRYWm1IbmorMGVHK3BSNEdBWncwNXNEeUtFRnNqOXg5Qk1TOGplbmwvbFdyd3EzZHhGWjhkMU1kajZxNnhRaTdMdGxtK3VDZTVWQWFFSjNQNWp5ZHhOT1ZoS2pFY0JZWXdnWXlTS05PSDVPSHVZVkxuamcrNW1jaG9hYVhRPT0tLXgzUHZlWFJaZExvUWRCamwtLUM4K1VoRUVTdXR0a1dyMzhBUW5jTHc9PQ==?cid=3004356541In PDF document text
    • https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XblBzOUhKNEpyZjV3anpuc3BqNklSTnMxYVBoM2lPQmZwU1hpMWNwS1drT25DampYZWdWVlRJaHlHNzhFOUkyaXhvRXBXNFp0T3RNME9WdUEyUlg4R0ZWcDFPdmRvZHJUbmJYZVNZWEw1U2NmVGwzbjFQZDVwRktDeTFYaWk4a2o4Q09IU0ErTlpRYjRLMDNlbXZtV0RhcWhaci93dGU4TXlNRSswUDJOWTFENPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off0001928c.bin pdf-font-stream PDF embedded font (cff) at offset 0x1928C 4575 bytes
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0