Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4dcaf2a638aaeb0…

MALICIOUS

PDF

122.3 KB Created: 2022-07-10 21:21:37 Authoring application: Recommended Htc Vive Specs press (via FPDF 1.82) First seen: 2022-07-15
MD5: 519f894504731977375a2072aecdb560 SHA-1: 1f034a7385f0dedbccbc28dfc1821f855e42e0f3 SHA-256: f4dcaf2a638aaeb06c3d629a53a0a3d467e37ffea7735fd003bb1dbabb34aec2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded and invisible links that redirect to external URLs, specifically http://onboardlookup.site/. This technique is commonly used to trick users into downloading malicious payloads. No scripts were extracted, but the heuristic firings strongly indicate a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier clean score 0.0016

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://onboardlookup.site/Recommended-Htc-Vive-Specs/pdf/iwholesalemeds.com
    • http://onboardlookup.site/Recommended-Htc-Vive-Specs/doc/iwholesalemeds.com
    • https://iwholesalemeds.com/wp-content/uploads/formidable/3/hipaa-acknowledgement-and-consent-form-template.pdf
    • https://iwholesalemeds.com/wp-content/uploads/formidable/3/hawaii-home-inspector-license-requirements.pdf
    • https://iwholesalemeds.com/wp-content/uploads/formidable/3/adjustable-height-drafting-table.pdf
    • https://iwholesalemeds.com/wp-content/uploads/formidable/3/irs-irc-penalty-codes.pdf
    • https://iwholesalemeds.com/wp-content/uploads/formidable/3/air-india-flight-ticket-price.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_023_off0001dce9.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DCE9 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.