PDF malware analysis — malicious · b40677e00452f67b

MALICIOUS

PDF

205.9 KB Created: 2017-10-11 11:39:53 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com) First seen: 2026-05-04

MD5: 54a9107292ce51c9bc1dae18c08df12f SHA-1: 6b6b1b160f3fc4737248d208da68eb334ae2e768 SHA-256: b40677e00452f67bda54630ea998a336fe9dbf7371cda3a1f0a59e7ab42ff829

64 Risk Score

Machine Learning

Nyx PDF Classifier clean score 0.0034

Heuristics 4

Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH

Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://go2l.ink/info091802.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://go2l.ink/info091802 PDF link annotation
- http://ocsp.verisign.com0In PDF document text
- https://i.imgur.com/CuYHT2A.pngIn PDF document text
- https://i.imgur.com/BJH8zQL.pngIn PDF document text
- https://i.imgur.com/CuYHT2A.png)/TypeIn PDF document text
- https://i.imgur.com/BJH8zQL.png)/TypeIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
- http://www.microsoft.com/Typography/0In PDF document text
- http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONIn PDF document text
- http://www.monotype.com/html/type/license.htmlIn PDF document text
- http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
- http://crl.verisign.com/tss-ca.crl0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn PDF document text
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off00003bcf.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3BCF	371744 bytes
SHA-256: `78f530b1601021787e52b5134047b97bba8af910617ac8fe63033aed1818cafd`
`font_00_sfnt_off00000687.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x687	24332 bytes
SHA-256: `ca6c494bb5ef9be7361cfad38425c9e5ec46bc51a29f0a9ed3e0b4866540a7f4`

Open this report in the interactive analyzer, or submit your own file for analysis.