Malicious PDF — malware analysis report

Static analysis result for SHA-256 95149a09467c268b…

MALICIOUS

PDF

21.1 KB Created: 2021-05-28 10:31:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04
MD5: 62c9a89d456d01f82fbae92a35b6a771 SHA-1: 0fb9861ed47b0266e20808d8054abb9d5a1045d9 SHA-256: 95149a09467c268b0085cfae7f0f3269774281632c4582641e481509cef9cafd
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, containing a screenshot that prompts the user to click an embedded link. The link, https://msen.page.link/FUZF, is presented as a URL shortener, which is a common tactic in phishing campaigns to obscure the final destination. While the URL shortener itself is marked as benign, the overall pattern suggests an attempt to deceive the user into navigating to a potentially malicious site.

Machine Learning

  • Nyx PDF Classifier clean score 0.1235

Heuristics 3

  • Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK
    PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 21 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://msen.page.link/FUZF In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ae4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3AE4 14028 bytes
SHA-256: ba61161e3667c8b1506b1c4851c361dbb28966d1d304e85fc361cf51e613c7f1