PDF malware analysis — malicious · f1d7f816e4df90f6

MALICIOUS

PDF

89.8 KB

MD5: f6a991e0cbf3c67793cc10e77545f949 SHA-1: 9ed54fed139364aab4b7d9d70c6e14d639f665ff SHA-256: f1d7f816e4df90f6a8f312be170ed736b409da31a691f9847b8648987e0387c4

68 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple invisible and repeated links designed to trick the user into downloading a payload. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' directly indicates this behavior, and the 'SE_INVOICE_LURE' heuristic suggests the social engineering pretext. The primary IOC is the URL associated with these malicious links.

Heuristics 3

Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE

PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_012_off0000dab0.bin` `aee411f9226ade263e6c56180fec20662b86071773c4728d14deef520331a14c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xDAB0	35180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.