Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f213c4ebfe6ca8…

MALICIOUS

PDF

7.5 KB Created: 2021-10-13 12:24:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: a9cb68531c5a9970ee02321baf4c08a7 SHA-1: 4aa614405a9087f4bcf818c6dd201a3eda282ae7 SHA-256: b6f213c4ebfe6ca856615efdc455b22f31aa3b20bcd3cb3b607da6beb0fae4de
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as an image-only lure, a common tactic in phishing campaigns. It contains a deceptive link to 'yughsewndfleld.updt644-serv1ce.info', which is likely intended to lead the user to a malicious site. The file's structure and the presence of this suspicious URL strongly suggest an attempt to deceive the user into clicking through, potentially for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5535

Heuristics 4

  • Image-only PDF lure links to a deceptive (typosquat) host high PDF_IMAGE_LURE_DECEPTIVE_HOST_LINK
    PDF is image-heavy with little real text and its clickable action targets a host that impersonates a security/service/brand word with a look-alike homoglyph substitution — a digit OR a confusable letter (e.g. 'serv1ce', 'servlce', 'upd4te', 'm1cr0s0ft') — on a domain that is not a known-good site. This is a credential-phishing / fake-update carrier shape: a screenshot-like page funnels the victim to a deceptive look-alike destination.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 7 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yughsewndfleld.updt644-serv1ce.info PDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://www.tiro.comMicrosoftIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f1a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1A 5340 bytes
SHA-256: 0fe8f25c4aa22b2e53b65ecf500d46bf6d83123341eadc25fb7e4bb2143de179