Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1c11be55cc28f0e…

MALICIOUS

PDF

31.0 KB Created: 2020-12-04 12:42:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: b512e29c72e2aca7cdb6d523ef24791d SHA-1: a65e7934c48cfacf48660ae7ac926d8c59503c4f SHA-256: f1c11be55cc28f0e4665c24899c488fc30c8b09caf551f9e0b0b1ef45ab78f66
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file is identified as a malicious screenshot lure, designed to trick users into clicking a link. The embedded URL, http://f6f3.nypost.com@0x58.0xda.0x10.0x59/, is obfuscated and points to a suspicious IP address, likely leading to a phishing or malware distribution site. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier clean score 0.0563

Heuristics 4

  • Clickable URI hides its destination behind an obfuscated IP high PDF_URI_OBFUSCATED_IP_HOST
    PDF contains a clickable HTTP(S) action whose visible host is a user-info deception: the brand-looking name before the '@' is ignored by the browser, and the real destination is a bare or obfuscated IP literal. The 'brand.com@real-host' form has no legitimate use and is a hallmark of phishing / malware redirectors that want the rendered link to read like a trusted site.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 2 text block(s), carries a click-outward action, and is only 30 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Image-only PDF lure with a single link to a non-reputable host medium PDF_IMAGE_LURE_NONREPUTABLE_LINK
    PDF is image-heavy with little real text and its only clickable action is a single external link to a host that is not known-good. This is the canonical malspam carrier shape — a screenshot-like 'click to view' page whose sole purpose is to funnel the victim to one redirect/landing URL on a compromised or throwaway domain. Flagged suspicious rather than malicious because the link alone (no shortener / typosquat / brand path) is the only corroborator beyond the image lure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://f6f3.nypost.com@0x58.0xda.0x10.0x59/?clickid=c012253d9debfcc6914bfb1661370a&1=1eb36096-8a79-6d44-90bf-ac1f6b95a853&time=1607074719&flash=63980 PDF link annotation
    • http://f6f3.nypost.com@88.218.16.89/?clickid=c012253d9debfcc6914bfb1661370a&1=1eb36096-8a79-6d44-90bf-ac1f6b95a853&time=1607074719&flash=63980Decoded from obfuscated IP host (0x58.0xda.0x10.0x59)
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002e24.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E24 16088 bytes
SHA-256: 02ed90c0e61f0f3891f8256925ff5a7690bfbe3b420e7e776e3190caf73c92b6
font_01_sfnt_off000057a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x57A7 14684 bytes
SHA-256: dd78d033feea8fcfd3fbc9a5c7d0b2133705feafde3e8cd938320892b1a4a8ec

Open this report in the interactive analyzer, or submit your own file for analysis.