Malicious PDF — malware analysis report

Static analysis result for SHA-256 f94d2b089c250e8f…

MALICIOUS

PDF

349.2 KB Created: 2020-12-07 14:41:12 UTC Authoring application: PDFescape Online - https://www.pdfescape.com (via RAD PDF 3.18.0.0 - https://www.radpdf.com)
MD5: cd81bdeada761a37bb019bc8411aabc0 SHA-1: 8cf9ba99380e90c69f98e6a34f144fac39ff1d1f SHA-256: f94d2b089c250e8ff7d1398e6f107867255aabfe28d79dff8532e2895e0c6e9d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple invisible and repeated links pointing to a URL that serves a file disguised as an image. This indicates a lure to download a malicious payload. The PDF structure also shows evasion techniques, suggesting a malicious intent. No scripts were extracted, and the document body was unreadable, limiting further analysis of the payload's specific actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5530

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://atelierzolotas.com/work/83461806.IMG
    • https://www.radpdf.com)/Creator(PDFescape
    • https://www.pdfescape.com)/CreationDate(D:20201207144112Z)/ModDate(D:20201207144331Z
    • http://www.dynaforms.com
    • https://www.radpdf.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • https://www.pdfescape.com

Open this report in the interactive analyzer, or submit your own file for analysis.