Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebc7aad321576ec1…

MALICIOUS

PDF

211.9 KB Created: 2023-01-02 03:16:24 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com)
MD5: 41e4ae11e3703251a563bee5aad6c0e0 SHA-1: 093ad90725d2d1560d0a7f327ebacb4dcd20fc3f SHA-256: ebc7aad321576ec1511158184ea8dbac4e25f91639ef7d44ed7ca3a6a855956a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

The PDF contains a direct link to a JavaScript file hosted on transfer.sh, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This JavaScript file is likely intended to be executed by the user, serving as a downloader for further malicious payloads. The embedded URL is the primary indicator of the malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0145

Heuristics 2

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://transfer.sh/get/9yiXvu/ORDER-022023.doc.js

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000080c0.bin
eb51ffeca7df127736b35752a89769b101e1989b44cee80b393eba683017b1ab		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x80C0 356888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.