Malicious PDF — malware analysis report

Static analysis result for SHA-256 b751b2eac3339971…

MALICIOUS

PDF

92.0 KB Created: 2023-03-21 18:36:23 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 73199fafb60857d7e82e8276053e2e4c SHA-1: b261d0d8754bed97feb326c06ed4d6d410606b02 SHA-256: b751b2eac3339971150467ad376b337fb21accbd8f66e01b5f5f938fa5038cf7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF document contains a direct link to a ZIP archive hosted at http://cidades.clickcurvelo.com/sync/64385ee7e5b4c.zip. This heuristic firing indicates the document is designed to facilitate the download of a potentially malicious payload. The presence of this direct link is the primary indicator of the attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0051

Heuristics 2

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cidades.clickcurvelo.com/sync/64385ee7e5b4c.zip

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off000032d1.bin
dc170c6f02f2b156352671fad65a9bda5b1469f65970b14b93d1b21cf765ef1b		 pdf-font-stream PDF embedded font (cff) at offset 0x32D1 2830 bytes
font_01_sfnt_off00004842.bin
dabca5bdd40353909ac18470e44e9982ebe51b0d3b2f342d78126ed3548b0529		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4842 5360 bytes
font_02_sfnt_off00005a94.bin
f034645ad92baf4f01365910fa6acf564b8f4da4489ceb3ccaa99230a4139ba4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A94 7016 bytes
font_03_sfnt_off00007272.bin
2e140c78ba7a3deff895a12e3ef243ce609aa29c91ae9b82f5f04207a22e0655		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7272 6120 bytes
font_04_sfnt_off000086fa.bin
bcee5ba7d8cfb2e16dcee3a21900987f039f2c0243a316e3a11267d9f4248705		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86FA 7272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.