PDF malware analysis — malicious · cb2528015508e0e1

MALICIOUS

PDF

MD5: 30f250fd3c6c38f72d816024054e8d20 SHA-1: 679f2306734e3dbfa7916337e67c0e57f34c4855 SHA-256: cb2528015508e0e13eefe9ce8884bd7662984ad01dfca1b1ce09224bd9d2f702

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious by an ML classifier and exhibits characteristics of a phishing lure, specifically an image-only document designed to trick users into clicking a link. The embedded URI points directly to an IP address, which is a common tactic for hosting malicious content or phishing pages. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.9557

Heuristics 3

Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 112 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://5.181.159.55/index.php

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off0000041e.bin` `dd083558bcee5a4e4bcd0ab427c5d808cbc95a8c1acc86b0c576d95266803aba`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x41E	1795200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.