Malicious PDF — malware analysis report

Static analysis result for SHA-256 cef5804765b42781…

MALICIOUS

PDF

56.3 KB Created: 2021-10-21 01:01:54 +00:00 Authoring application: Chromium (via Skia/PDF m94)
MD5: 273da9fb93c4d4937895f44699fa4e0a SHA-1: eb763f018b431084dd3d44528fe476acae477727 SHA-256: cef5804765b42781b1b95fb906b8420cb15e697db9c7338c2750f0dfd9430d55
152 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF is structured as an image-only lure, typical of phishing, with a clickable action that leads to a payload. The critical heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' indicates that invisible links within the PDF are intended to deliver the executable 'InvoicePO102IndexLtdParamout.exe' from the domain 'aberfeldywatermillbooks.com'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9489

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 56 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.aberfeldywatermillbooks.com/InvoicePO102IndexLtdParamout.exe

Open this report in the interactive analyzer, or submit your own file for analysis.