Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2b75baeb7ed21fb…

MALICIOUS

PDF

154.7 KB Created: 2024-10-13 15:46:18 +07:46 Authoring application: TS1.6 First seen: 2026-03-13
MD5: 5e24c58eb15249f7d4d087f66dd1ce02 SHA-1: e45cd29f904ab54e0d7f831982c7a78b4a370e9d SHA-256: e2b75baeb7ed21fb8f27984f941286770d1c3c0b60fce8d7fa5b167bd24ba6dc
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to an MSI installer, as indicated by the PDF_DIRECT_PAYLOAD_LINK heuristic. This strongly suggests the document's purpose is to trick the user into downloading and running a malicious payload. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact lure. The primary IOC is the URL pointing to the MSI installer.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 2

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://6-1321729461.cos.ap-guangzhou.myqcloud.com/lnstaller.msi
    • http://www.baidu.com
    • https://00-1321729461.cos.ap-guangzhou.myqcloud.com/24-12-13uninstall.exe
    • https://00-1321729461.cos.ap-guangzhou.myqcloud.com/2024%E5%B9%B412%E6%9C%88%E4%BB%BD%E7%A8%8E%E5%8A%A1%E6%8A%BD%E6%9F%A5%E5%90%8D%E5%8D%95%E5%85%AC%E7%A4%BA.7z
    • https://00-1321729461.cos.ap-guangzhou.myqcloud.com/2024.7z
    • https://00-1321729461.cos.ap-guangzhou.myqcloud.com/uninstall.exe
    • https://00-1321729461.cos.ap-guangzhou.myqcloud.com/2uninstall.exe
    • https://fuued5-1329400280.cos.ap-guangzhou.myqcloud.com/%E6%B6%89%E7%A8%85%E4%BC%81%E6%A5%AD%E5%90%8D%E5%96%AE.zip
    • https://6-1321729461.cos.ap-guangzhou.myqcloud.com/lnstaller.msi)/IsMap
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034ee.bin
5e6573121f1c83fad0a9d07224fec0d59ddcfdd0da49154df09ce7bb816e6237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34EE 259544 bytes
font_01_sfnt_off0000f3a1.bin
9f795aead024dc856e24f419192513f97fcd5afc0780fac9f0ad68cebe530ad5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3A1 67472 bytes
font_02_sfnt_off00013f03.bin
8a42c24322b99eea5f1ac6fb79eedba167168111b02041107fdb869ac9c68830		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F03 72360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.