Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5e94eb23a48f29a…

MALICIOUS

PDF

126.8 KB Created: 2023-06-01 11:05:31 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: be2dbffcf82792e24c76f89f0eda0470 SHA-1: 213660f409ab7856645d3f6f597adf2958d69b93 SHA-256: e5e94eb23a48f29a32a3308c094f8a8cfbd3147eb3985ee86bbad964e70c53d5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to a ZIP archive, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This indicates the document's primary purpose is to trick the user into downloading and potentially executing the contents of the archive. No scripts were extracted, and the document body was not sufficiently readable to provide further context.

Machine Learning

  • Nyx PDF Classifier clean score 0.0112

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://afiadv.org/xmeyuqpuid/xmeyuqpuid.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off0000cc37.bin
7d6e8c2f330606eed50b77d2299e1abe1b09c84bdf7713fcdfeee2855ffee3e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCC37 4581 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_00_cff_off00000610.bin
321e7c1033e1f2d21a39e55764be64c5b600a25ef08997d0815b6c94fe4f25cf		 pdf-font-stream PDF embedded font (cff) at offset 0x610 2587 bytes
font_01_cff_off00002b35.bin
38ac91883c56a5138075845c566ebeb16287769ba14951867ab48d5bca3673fe		 pdf-font-stream PDF embedded font (cff) at offset 0x2B35 539 bytes
font_02_cff_off00004856.bin
a121fcfe8f2debd62f29a88e36180bb1f27d522d5811ab4a206e38f7c51217b8		 pdf-font-stream PDF embedded font (cff) at offset 0x4856 539 bytes
font_03_cff_off00006578.bin
edb617c123f49533789229e253b0ed4b762c942ee8b361ae2a51c5de64c039f5		 pdf-font-stream PDF embedded font (cff) at offset 0x6578 539 bytes
font_04_cff_off000082a5.bin
b0f74c1d3f8de6411025fe4536ea7097b9f7300348af5ef4c63b64681bbab0e5		 pdf-font-stream PDF embedded font (cff) at offset 0x82A5 1340 bytes
font_05_cff_off0000a316.bin
4beb162a087c3d536cd5bb4547f88d8a2c31f3c9acdb8c0c6d6e9501472d7bff		 pdf-font-stream PDF embedded font (cff) at offset 0xA316 3578 bytes
font_07_cff_off0000f8a8.bin
1118f250c9cbcfd4fd183577e35d5aa001c52efb108823a8b57a8ff361890ebf		 pdf-font-stream PDF embedded font (cff) at offset 0xF8A8 525 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.