Malicious PDF — malware analysis report

Static analysis result for SHA-256 975836bfb257eb4f…

MALICIOUS

PDF

56.3 KB Created: 2021-10-21 01:01:54 +00:00 Authoring application: Chromium (via Skia/PDF m94) First seen: 2021-11-20
MD5: f584d78257c02b8173402cf3975ae8dc SHA-1: b0f6495e312a6930af3f873b142a24691aa0fe9c SHA-256: 975836bfb257eb4fda130fcf1d354fd8c4cdeec1f4238abfdfb71a696a0ac099
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file is identified as malicious due to its structure, which includes an image-only lure and invisible links. One critical heuristic specifically points to a repeated payload link leading to an executable file hosted at www.aberfeldywatermillbooks.com. This indicates a likely phishing attempt designed to trick the user into downloading and running malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9489

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 56 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.aberfeldywatermillbooks.com/InvoicePO102Indexparamout.exe In PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.