Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3dee02788568879…

MALICIOUS

PDF

163.1 KB Created: 2024-02-09 00:00:00 Authoring application: LibrarySystem_30 (via Producer_16)
MD5: 978ce761a1c7f4b5ebfcd8c9728f1965 SHA-1: 3294fa3fd04aada60f5f92a407525ac7f798ce60 SHA-256: d3dee02788568879bc2a3968bd381c0fc5f121bb3c2f46224fd85566282f6837
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: User Execution

The PDF document is image-only and contains a clickable link designed to lure the user into downloading a payload. The critical heuristic PDF_DIRECT_PAYLOAD_LINK confirms that the embedded URL directly points to a potential executable or archive. The URL https://proniklsu63nenick.com is identified as the target for the payload download.

Machine Learning

  • Nyx PDF Classifier clean score 0.0020

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 2 text block(s), carries a click-outward action, and is only 163 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://monitor.clickcease.com//tracker/tracker?id=go2024mGEEFIqIrNt99&adpos=&nw=a&url=https://proniklsu63nenick.com?utm_content=gekimLhCXs&session_id=Gm49aDxCakEVdkYs9u3P&id=071kw&filter=MrsnfcBLvp-JDKPJ&lang=de&locale=US

Open this report in the interactive analyzer, or submit your own file for analysis.