PDF malware analysis — malicious · b0df936105f5f5cc

MALICIOUS

PDF

MD5: d332de88116f1767fd5b5dd1389b5369 SHA-1: 57568cea1f2ec6f825d14993ceb12c38e9f0af86 SHA-256: b0df936105f5f5ccd9a13f4abc6b7e09cf64d8c1513e21dea87883201aacbabe

110 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file is identified as an image-only lure, typical for phishing attacks. It contains multiple invisible links pointing to a ZIP archive hosted on Google Firebase Storage. The ML classifier also flagged this PDF as malicious. The primary attack vector involves tricking the user into downloading and likely executing the contents of the ZIP file.

Machine Learning

Nyx PDF Classifier malicious score 0.8357

Heuristics 3

Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE

PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 46 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://firebasestorage.googleapis.com/v0/b/aerial-matrix-377704.appspot.com/o/lJTnKIACL9%2FINV_Copy_02_13_%2381.zip?alt=media&token=dfc5c8d4-39ff-42bd-836f-185b30735ae2

Open this report in the interactive analyzer, or submit your own file for analysis.