PDF malware analysis — malicious · 8c6c66066d6ba6f5

MALICIOUS

PDF

123.4 KB Created: 2022-06-26 21:02:44 Authoring application: Direct Delivery Service Manteca Ca looking (via FPDF 1.82) First seen: 2022-07-15

MD5: 72e9ede89b6754c8bc735a8619785aa0 SHA-1: c0c6205d009a85b011cd5e2040d373dff88ce148 SHA-256: 8c6c66066d6ba6f54d5cf4d6c39bab23c69b9ebedf7ccc38cd287d46aa69986d

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple invisible and repeated links that direct the user to download a payload from the domain 'fileheapsteele.site'. This technique is commonly used to deliver malware disguised as legitimate documents. The embedded URLs are the primary indicators of compromise.

Machine Learning

Nyx PDF Classifier clean score 0.0006

Heuristics 2

Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE

PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fileheapsteele.site/Direct-Delivery-Service-Manteca-Ca/pdf/www.arabianfal.com
- http://fileheapsteele.site/Direct-Delivery-Service-Manteca-Ca/doc/www.arabianfal.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_026_off0001e0ac.bin` `43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1E0AC	76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.