PDF malware analysis — malicious · e5ea77c1d2431eb2

MALICIOUS

PDF

200.8 KB Authoring application: PyPDF2

MD5: 1ccb0807ef5add8105cc16de6e1e0934 SHA-1: 636bd7c1d93126e39c4b4ae7316946c0350e65b0 SHA-256: e5ea77c1d2431eb235ff2d88d412fe737c3fa0c89de871c32b5dc57e1a320caa

90 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Phishing: Spearphishing Attachment

The PDF employs an image-only lure, a common phishing tactic where a screenshot masks clickable elements. Heuristics confirm this, specifically identifying an 'escaped URI' pointing to 'https://flowersaffairs.com/nece/?DdOuaPKCcKcQPWqKykzHCzDrvDfFTJIMwPujqbaZVeOpHUtenkstHGYMUOocj'. This URL is the primary indicator of malicious intent, likely leading to a phishing page or malware download.

Machine Learning

Nyx PDF Classifier malicious score 0.8485

Heuristics 2

Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE

PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 200 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.

Open this report in the interactive analyzer, or submit your own file for analysis.