Malicious PDF — malware analysis report

Static analysis result for SHA-256 d29e60249fbd3139…

MALICIOUS

PDF

59.8 KB Created: 2021-06-16 15:12:50 +03:00 Authoring application: Theresa Brown (via Brian Cole) First seen: 2021-06-20
MD5: 1c45ca1e6e71381c185bbe518e70340a SHA-1: ea54841524ca42fee0ea2be2ec7d1c0dbbe3d2bd SHA-256: d29e60249fbd3139bf2d936c5773c85dbce1107dcd5d1f09c506547104a8776c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file is identified as an image-only lure, a common tactic for phishing or malware distribution. It contains a single external URI pointing to 'http://trbw.tacforge.com'. The document body is heavily obfuscated and appears to be a corrupted or malformed text extraction, but the presence of the image lure and the external URL strongly suggest a malicious intent to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier clean score 0.1425

Heuristics 4

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 59 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Image-only PDF lure with a single link to a non-reputable host medium PDF_IMAGE_LURE_NONREPUTABLE_LINK
    PDF is image-heavy with little real text and its only clickable action is a single external link to a host that is not known-good. This is the canonical malspam carrier shape — a screenshot-like 'click to view' page whose sole purpose is to funnel the victim to one redirect/landing URL on a compromised or throwaway domain. Flagged suspicious rather than malicious because the link alone (no shortener / typosquat / brand path) is the only corroborator beyond the image lure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://trbw.tacforge.com In PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.