Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0265161d0ed290f…

MALICIOUS

PDF

119.0 KB Created: 2023-05-30 10:52:12 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: abc068503faa367c801508f98808f4f5 SHA-1: 42324b937a39c816e124d4236c60c929a5830c69 SHA-256: d0265161d0ed290ff81ff99e4571de9b709b357c9e663ad2b4519b68497705f5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to a ZIP archive hosted on an external domain. This indicates a likely delivery mechanism for a malicious payload. The heuristic 'PDF_DIRECT_PAYLOAD_LINK' confirms this, and the extracted URL is the primary indicator of compromise. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier clean score 0.0094

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crenicssolar.mx/ajtqesqopz/ajtqesqopz.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off0000cb4b.bin
7d6e8c2f330606eed50b77d2299e1abe1b09c84bdf7713fcdfeee2855ffee3e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCB4B 4581 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_00_cff_off00000525.bin
321e7c1033e1f2d21a39e55764be64c5b600a25ef08997d0815b6c94fe4f25cf		 pdf-font-stream PDF embedded font (cff) at offset 0x525 2587 bytes
font_01_cff_off00002a4a.bin
a121fcfe8f2debd62f29a88e36180bb1f27d522d5811ab4a206e38f7c51217b8		 pdf-font-stream PDF embedded font (cff) at offset 0x2A4A 539 bytes
font_02_cff_off0000476c.bin
edb617c123f49533789229e253b0ed4b762c942ee8b361ae2a51c5de64c039f5		 pdf-font-stream PDF embedded font (cff) at offset 0x476C 539 bytes
font_03_cff_off00006499.bin
b0f74c1d3f8de6411025fe4536ea7097b9f7300348af5ef4c63b64681bbab0e5		 pdf-font-stream PDF embedded font (cff) at offset 0x6499 1340 bytes
font_04_cff_off0000850a.bin
4beb162a087c3d536cd5bb4547f88d8a2c31f3c9acdb8c0c6d6e9501472d7bff		 pdf-font-stream PDF embedded font (cff) at offset 0x850A 3578 bytes
font_05_cff_off0000ae10.bin
7b07c16722a971f83ffbea76b4b78e5bc064472ea6e2a95fa0f6ebdce5121e2f		 pdf-font-stream PDF embedded font (cff) at offset 0xAE10 539 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.