PDF malware analysis — malicious · 36779d8a4aa2ca6a

MALICIOUS

PDF

91.4 KB Authoring application: Haru Free PDF Library 2.4.0dev

MD5: 7b16071936c58420c62b8fc338c9cf30 SHA-1: 7b7707e6858099681636199c63b762d0f2aeece8 SHA-256: 36779d8a4aa2ca6af25ba9a98aabbb3ca7999071d1e5b0024b41df4f438d311f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment

The PDF file is identified as an image-only lure, typical for phishing attacks. It contains a clickable URL that is obfuscated using PDF string escapes. The URL 'http://xephankhoilon.vn/wp-content/themes/tiny/fonts/0yfcj/' is likely intended to lead the user to a malicious site for further exploitation or credential harvesting.

Machine Learning

Nyx PDF Classifier clean score 0.0689

Heuristics 2

Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE

PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 91 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000daea.bin` `5c643a10ed07ee166cae686ce01c4408e2e3717a17023dfb80638b3379ab4dd2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDAEA	91955 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.