Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddaffb8652b51ce8…

MALICIOUS

PDF

103.5 KB Created: 2022-03-12 11:48:10 Authoring application: Passport Renewal Office In Coral Gables adept (via FPDF 1.82) First seen: 2022-07-15
MD5: cd411aaf3b7e9dc5198372b07e103560 SHA-1: 73c8892f6487ca7c5df65fc738c51e11488c959c SHA-256: ddaffb8652b51ce8ec85f7779bc12580512dc88f0dfdc21797a0718791c22270
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document employs a fake invoice lure, a common tactic to entice users into clicking malicious links. It contains multiple invisible and repeated links that redirect to external URLs, suggesting an attempt to download a secondary payload. The presence of embedded JavaScript streams further supports the likelihood of malicious activity.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://judgesclinic.site/Passport-Renewal-Office-In-Coral-Gables/pdf/eventsafetyplan.com
    • http://judgesclinic.site/Passport-Renewal-Office-In-Coral-Gables/doc/eventsafetyplan.com
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/free-learners-licence-test-for-motorcycles.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/top-health-policy-think-tanks.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/boulder-county-inspection-request.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/ge-cd-clock-radio-dual-wake-manual.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/getting-marriage-license-in-maryland.pdf
    • https://eventsafetyplan.com/wp-content/uploads/formidable/51/new-jersey-attorney-ethics-complaint-form-address.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000810.js
0ac04414daa02e8d350733082c7b59c4e8efd2290d1728b672741f78c63c3d70		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x810 3941 bytes
stream_014_off000192d8.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x192D8 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.