PDF malware analysis — malicious · 9ab20ec2ce6e78ca

MALICIOUS

PDF

203.8 KB Created: 2025-08-04 12:59:34 +02:00 Authoring application: Microsoft® Word 2016

MD5: 33e9fc2b249bdb6712c5a2740323b2eb SHA-1: 124aea5a7295d4d65e76f653f7b265dcda8d7003 SHA-256: 9ab20ec2ce6e78ca129ebfd4e0d1e844de1b03c7fbac9ea9a681d0dd6383029d

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1204.001 Malicious File

The PDF contains a direct link to an executable payload, identified as ScreenConnect.ClientSetup.msi. This aligns with a remote support tool lure, suggesting the document aims to trick the user into installing potentially malicious software under the guise of legitimate remote access. The embedded URL is the primary indicator of this malicious activity.

Heuristics 3

PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK

PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
Remote-support tool lure high SE_REMOTE_SUPPORT_LURE

Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://wakilamakila.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=Administrator&c=&c=&c=&c=&c=&c=&c=

Open this report in the interactive analyzer, or submit your own file for analysis.