Malicious PDF — malware analysis report

Static analysis result for SHA-256 b82fb1586ca35dae…

MALICIOUS

PDF

482.1 KB
MD5: c894bb53b1b8feaf05ae43950e6f41bc SHA-1: 7a2b70a5b213aec22ec1d72653199be4c4d7193c SHA-256: b82fb1586ca35dae8fc324317858e5c437bd0292cfa1d29003feac489a375099
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple heuristics indicating a malicious intent, including repeated payload links, a fake invoice lure, a visual download button, and instructions for a password-protected archive. The presence of JavaScript actions and embedded JS streams suggests the document is designed to download and execute a second-stage payload. The primary lure appears to be financial, with references to payment redirection and bank details.

Heuristics 10

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://big.faceless.org/products/report?version=1.1.40
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000005fc.js
bab8690768e3009a54304b25f3eacdc6bfded4d7a8d79d421d74e05f6507ab47		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5FC 11557 bytes
objstm_0268_00.bin
4e8b497c49a6750c17b5262844c7b280634d4f8b452c8e2ed84d7eca5a8df3b8		 pdf-objstm-decoded PDF /ObjStm 268 0 obj (inflated) 18876 bytes
objstm_0020_00.bin
3d4e909b2506e75882b6fe751e019d37dc5c8b71f9834be12de59b415b0c2959		 pdf-objstm-decoded PDF /ObjStm 20 0 obj (inflated) 4147 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
objstm_0044_00.bin
2fb8f24da624a48602f63a9eef8dc3cdb61d2ffbb49c8c0364269306330a891f		 pdf-objstm-decoded PDF /ObjStm 44 0 obj (inflated) 1097 bytes
objstm_0054_00.bin
774d948203416814fe926917adfc80f610b9863d18ec74b1a663c7becce6a84a		 pdf-objstm-decoded PDF /ObjStm 54 0 obj (inflated) 457 bytes
font_00_cff_off000157bb.bin
dc04bed45027f8b8c8201769e5788fc398dbb9d2186537534a6b89634dbd907f		 pdf-font-stream PDF embedded font (cff) at offset 0x157BB 85642 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_01_cff_off0002d552.bin
6263d3ac63ccf46ab7dee535450c4c49085f2682ec97bd36a9dc980d194e6924		 pdf-font-stream PDF embedded font (cff) at offset 0x2D552 85639 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_02_cff_off0003a8ff.bin
c3bacbbbf3ba4bdc7a69dd237f61c620330aeb238358a6f58970456e1799611f		 pdf-font-stream PDF embedded font (cff) at offset 0x3A8FF 85645 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_03_cff_off00047cac.bin
c01eff8210d47ca5b01376cf66af60720c0ec3604dca38d047971aa06c66ae13		 pdf-font-stream PDF embedded font (cff) at offset 0x47CAC 85643 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_04_cff_off00055061.bin
c99b1e45352130d91d059524c4af8695f0c606a0dec10044fa4bea749103a2ef		 pdf-font-stream PDF embedded font (cff) at offset 0x55061 85635 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_05_cff_off0006c79f.bin
76e6f1ced939bc744e27de595559a307b7e743c7cb04ba627cf3d977462ce394		 pdf-font-stream PDF embedded font (cff) at offset 0x6C79F 15493 bytes
font_06_cff_off000719af.bin
7290d9edd8d23030fff209f4fc2b5f1eea0f57dfffa1b60c908829bd3bc891c6		 pdf-font-stream PDF embedded font (cff) at offset 0x719AF 16037 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.