Malicious PDF — malware analysis report

Static analysis result for SHA-256 c906ab1c58ac70fe…

MALICIOUS

PDF

235.0 KB Created: 2023-07-28 11:27:22 +03:00 Authoring application: iText® Core 7.2.5 (AGPL version) ©2000-2023 iText Group NV
MD5: 55abe9221df1a35a543673a4beae9b2e SHA-1: 40771228c498f7c115a3db6e451b4b12ac4bdef4 SHA-256: c906ab1c58ac70fece30126edbb043f2ff8ca7da614f2e2a0f3c98a42c8a2431
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a direct link to a ZIP archive, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This strongly suggests the document's purpose is to facilitate the download of a secondary malicious file. The embedded URL points to a ZIP file, which is a common delivery mechanism for malware. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the immediate intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0063

Heuristics 2

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://files.catbox.moe/6d9cob.zip

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0003a69b.icc
7e1c7ec53e8ea35fed3e169dee62115ac045f26c7bc256fab16a5c26c29eacbd		 pdf-icc-profile PDF ICC profile at offset 0x3A69B 548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.