Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee6f0619725d82cb…

MALICIOUS

PDF

126.8 KB Created: 2023-06-07 12:53:12 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 80cdc585c8aac8c9d713c1c115637a8b SHA-1: 95d97758bf98ba2d0bae100b107a66eabbd8f0b7 SHA-256: ee6f0619725d82cb26f96f38d7896a1e57e6195c4c2b7b5ee4797b190fa6b5e3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to a ZIP archive hosted on 'entelso.com'. The PDF_DIRECT_PAYLOAD_LINK heuristic firing confirms this link points to an executable or archive. This indicates a delivery mechanism designed to trick the user into downloading and running a malicious payload. No scripts were extracted, and the document body was not sufficiently readable to provide further context.

Machine Learning

  • Nyx PDF Classifier clean score 0.0112

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://entelso.com/ikirzexvnv/ikirzexvnv.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off0000cc38.bin
7d6e8c2f330606eed50b77d2299e1abe1b09c84bdf7713fcdfeee2855ffee3e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCC38 4581 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_00_cff_off00000611.bin
321e7c1033e1f2d21a39e55764be64c5b600a25ef08997d0815b6c94fe4f25cf		 pdf-font-stream PDF embedded font (cff) at offset 0x611 2587 bytes
font_01_cff_off00002b36.bin
38ac91883c56a5138075845c566ebeb16287769ba14951867ab48d5bca3673fe		 pdf-font-stream PDF embedded font (cff) at offset 0x2B36 539 bytes
font_02_cff_off00004857.bin
a121fcfe8f2debd62f29a88e36180bb1f27d522d5811ab4a206e38f7c51217b8		 pdf-font-stream PDF embedded font (cff) at offset 0x4857 539 bytes
font_03_cff_off00006579.bin
edb617c123f49533789229e253b0ed4b762c942ee8b361ae2a51c5de64c039f5		 pdf-font-stream PDF embedded font (cff) at offset 0x6579 539 bytes
font_04_cff_off000082a6.bin
b0f74c1d3f8de6411025fe4536ea7097b9f7300348af5ef4c63b64681bbab0e5		 pdf-font-stream PDF embedded font (cff) at offset 0x82A6 1340 bytes
font_05_cff_off0000a317.bin
4beb162a087c3d536cd5bb4547f88d8a2c31f3c9acdb8c0c6d6e9501472d7bff		 pdf-font-stream PDF embedded font (cff) at offset 0xA317 3578 bytes
font_07_cff_off0000f8a9.bin
1118f250c9cbcfd4fd183577e35d5aa001c52efb108823a8b57a8ff361890ebf		 pdf-font-stream PDF embedded font (cff) at offset 0xF8A9 525 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.