Malicious PDF — malware analysis report

Static analysis result for SHA-256 d859f4ca59bee60d…

MALICIOUS

PDF

77.3 KB
MD5: e90fe554706fcf4e1878b93461777db9 SHA-1: c6a29bcf2e5ba1b3048635d105ecc70ae730c8fb SHA-256: d859f4ca59bee60d3c8bea67e4035b973a17014b57aee57ad1a372934d9739b3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF document contains multiple invisible links pointing to the same external URL, strongly suggesting a phishing or malware delivery attempt. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' confirms this, indicating the links are designed to deliver a payload. The embedded URL 'https://kontaktlines.com/us.kuehne-nagel.com' is the primary indicator for potential payload retrieval.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kontaktlines.com/us.kuehne-nagel.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off00006672.bin
291130d6ca1a9c2c0c8802497d7df30a1f5a18b12575647c60a39d6a048c9773		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6672 35012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.