Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6353a662e7162f6…

MALICIOUS

PDF

397.0 KB Created: 2024-12-27 06:08:02 +01:00 Authoring application: Microsoft® Word 2016 First seen: 2025-02-19
MD5: 2a5ff24f34c7c80ae0fe9ad74ae3fb32 SHA-1: 38455ce0f86557476f8494c9290d2a088b9331cc SHA-256: c6353a662e7162f6593675e6cb990fcf8c7a78869b9f72e80dd774c3b3695627
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link

The PDF contains a direct link to a ZIP archive, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This strongly suggests an attempt to trick the user into downloading and executing malicious content. The presence of a visual download button further supports this lure-based attack pattern. No scripts were extracted, and the document body was unreadable.

Machine Learning

  • Nyx PDF Classifier clean score 0.0125

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://f005.backblazeb2.com/file/bobbyvi/ceosnak/PO202501B.zip
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoft
    • http://en.wikipedia.org/wiki/MIT_License
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://www.microsoft.com/Typography

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b61f.bin
1353513270a633226b001a320ec20b828b104c33ea5bc3ec65cde038632ac8c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB61F 537988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.