Malicious PDF — malware analysis report

Static analysis result for SHA-256 94fe4c750fd2924d…

MALICIOUS

PDF

40.2 KB Created: 2023-07-05 12:00:49 -07:00 Authoring application: iTextSharp’ 5.5.13.2 ©2000-2020 iText Group NV (AGPL-version) First seen: 2026-05-13
MD5: b3ef1ff6dc85a12fc12021b1e053ba64 SHA-1: a72776b5cf8370000413054f2112d1bec8337a01 SHA-256: 94fe4c750fd2924de3b542b8b66cf2dc5c0b8808f1d1f793f9f966250165e498
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF is identified as an image-only document designed as a lure, containing a single clickable link. The heuristic 'PDF_IMAGE_LURE' indicates a common phishing tactic where a screenshot is presented, hiding an actionable element. The embedded URL 'https://mem.f2aw.com/laity' is the primary indicator of compromise, likely serving as the destination for the malicious click.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8565

Heuristics 3

  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 40 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Image-only PDF lure with a single link to a non-reputable host medium PDF_IMAGE_LURE_NONREPUTABLE_LINK
    PDF is image-heavy with little real text and its only clickable action is a single external link to a host that is not known-good. This is the canonical malspam carrier shape — a screenshot-like 'click to view' page whose sole purpose is to funnel the victim to one redirect/landing URL on a compromised or throwaway domain. Flagged suspicious rather than malicious because the link alone (no shortener / typosquat / brand path) is the only corroborator beyond the image lure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mem.f2aw.com/laity In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00000058.icc pdf-icc-profile PDF ICC profile at offset 0x58 456 bytes
SHA-256: 12afb4d9953adee0607d347daee5b78b18d6b3cab2d572b88970703f5edb37bc