PDF static analysis report

Static analysis result for SHA-256 0083a0f0d4a1f605…

SUSPICIOUS

PDF

1.71 MB Created: •OL±Vĸþ«BónS Åz]6õÚ­`e¯'JJóŒ¿O¯"‹wpݚ¾f¨h Authoring application: °ôQ­*˜=I ? ¶Ç~áÙ>ê\b_¥xÅޟ,O©¿Kñ•õ¬è¸Þ¡.¤±5 (via Ô±Ò+$Çüïì<òE·“#^…ÃÀ̒ yž{éÓG­;ÀöûÍ=máÍVÁ"®–) First seen: 2026-05-11
MD5: a8975cf36796f2dc7301ef690194dc0d SHA-1: 0b07e4b6094695d11185bb5fe4e0fcd874cbb60b SHA-256: 0083a0f0d4a1f60581dd51a8a989a9b6dc501e31b7a00ad81f4f27b9316a6688
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF is encrypted and contains an OpenAction, a common technique to obfuscate malicious content and hide payloads from static analysis. The presence of embedded URLs, specifically 'http://anzeigen.automatisieren.org', suggests a potential download or redirection mechanism. The heuristic 'PDF_ENCRYPTED_WITH_JS' indicates that JavaScript may be involved in the execution flow, likely to trigger the payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0135

Heuristics 3

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://anzeigen.automatisieren.org In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 28

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_029_off00029c65.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29C65 22324 bytes
SHA-256: c863db5685b5c61cfe94115858391808f14a79c97291a01cf0f400e302279c7e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
412 of 620 identifiers look randomly generated (e.g. 'DrU7bdhiqcRXEE1RDKklOvBg1PuxVUxV2KsE86XX'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_135_off000eb242.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEB242 39521 bytes
SHA-256: ba40891f62a4a83d9ffdb7ccec7c8ded61b05d73b6927283863d3cc23e473e95
Detection
ClamAV: No threats found
Obfuscation or payload: likely
383 of 556 identifiers look randomly generated (e.g. 'DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8f'); 9 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_158_off0017d221.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17D221 11800 bytes
SHA-256: bc397bf6a90d448cd98c79a74308a487141069a3c8a0af7bb045e632390ec063
icc_00_off00020b96.icc pdf-icc-profile PDF ICC profile at offset 0x20B96 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off000ff4c4.bin pdf-font-stream PDF embedded font (cff) at offset 0xFF4C4 4743 bytes
SHA-256: 48992f1fdaa51cffbab540b4dfcd699466835a8ef3e995d7eae53eed88a35d0b
font_01_cff_off001005d7.bin pdf-font-stream PDF embedded font (cff) at offset 0x1005D7 6123 bytes
SHA-256: 14a98ad7399d6aa94dd8f2963a874bbd54f0c57bf4d81cd1200bd0eded3c0b94
font_02_cff_off00101b24.bin pdf-font-stream PDF embedded font (cff) at offset 0x101B24 7494 bytes
SHA-256: a1f2ff2601c72eeab3b359e755014e1e5ef4888469ceff78f947dd53e0ae1d27
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_03_cff_off0010354e.bin pdf-font-stream PDF embedded font (cff) at offset 0x10354E 2556 bytes
SHA-256: f28676ed02b4aa58324b87f33f8cb1141680fb6aba355873a16109eb036c1142
font_04_cff_off00103ecc.bin pdf-font-stream PDF embedded font (cff) at offset 0x103ECC 10161 bytes
SHA-256: 1c2810fc02f5add03693e889005aff928e9f440f4d1bf66837382fb5c6f64a08
font_05_cff_off00105ebd.bin pdf-font-stream PDF embedded font (cff) at offset 0x105EBD 6817 bytes
SHA-256: 01ac2a26265d690d6f2584927f761fefef50ec47c4ced866f538e05a7403930b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_06_cff_off0010766e.bin pdf-font-stream PDF embedded font (cff) at offset 0x10766E 251 bytes
SHA-256: 64c598f365d927a4edd9ae2af72d2b0b2960fbba5192d7ef1b33afcf74c8c580
font_07_cff_off0015b28f.bin pdf-font-stream PDF embedded font (cff) at offset 0x15B28F 3512 bytes
SHA-256: 50023c8e3aec60addfd0bb7d5eae71be4aa9830db2746f8bf8f5b842deb64cc0
font_08_cff_off0015bfc7.bin pdf-font-stream PDF embedded font (cff) at offset 0x15BFC7 4148 bytes
SHA-256: 423ef7a313bd776de7fb81095b170c39fea23f0de88e42cb6e10032a646e9164
font_09_cff_off0015d178.bin pdf-font-stream PDF embedded font (cff) at offset 0x15D178 3372 bytes
SHA-256: 8d852c58e7750db4700c95e2743e89b86e33f09f2de5b53af9932f9b4edf6a8f
font_10_cff_off0015de94.bin pdf-font-stream PDF embedded font (cff) at offset 0x15DE94 4378 bytes
SHA-256: 1bfdfe00e1f0031865b1f5693a140df539903c72651a77a0f09dd25841ab6644
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_11_cff_off0015ee11.bin pdf-font-stream PDF embedded font (cff) at offset 0x15EE11 2886 bytes
SHA-256: af514478fb33112a6e2d3b20b29634f312cd6c49e3e207f2167df9ecbbd16110
font_12_cff_off0015f8ca.bin pdf-font-stream PDF embedded font (cff) at offset 0x15F8CA 6086 bytes
SHA-256: aa58c0753b75d24cabfc2d29cf21afa5473854fa842ec6adcc1525838e6dafc4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_13_cff_off00161d18.bin pdf-font-stream PDF embedded font (cff) at offset 0x161D18 1891 bytes
SHA-256: 7979803019b66d3cba12b09d66e47ed2dc168a515f775e77d057d2adcac1c749
font_14_cff_off00162401.bin pdf-font-stream PDF embedded font (cff) at offset 0x162401 4697 bytes
SHA-256: 26af31d81532cb5eb302b37a00f6aa477beae5f03d20c00ca582469e504e50d7
font_15_cff_off0016345a.bin pdf-font-stream PDF embedded font (cff) at offset 0x16345A 2375 bytes
SHA-256: 3763eca8baee686cb13f2b816e024b808fe64537ede2e77584efc8e39f719ca7
font_16_cff_off00163cd3.bin pdf-font-stream PDF embedded font (cff) at offset 0x163CD3 3288 bytes
SHA-256: c825aa42940183619715eff68dba4991bda63141a23a404940cfc1092b99c1bf
font_17_cff_off001699d6.bin pdf-font-stream PDF embedded font (cff) at offset 0x1699D6 1588 bytes
SHA-256: 289cc6405da0c75a57d89fe9b208546c06286644b00aa40b4ee8bcf426d18632
font_18_cff_off0016b248.bin pdf-font-stream PDF embedded font (cff) at offset 0x16B248 6866 bytes
SHA-256: 079bcc20d88906a3ebb4624144f25ab9adb51f151abdcd2db658b904185d1187
font_19_cff_off0016c5a0.bin pdf-font-stream PDF embedded font (cff) at offset 0x16C5A0 179 bytes
SHA-256: 3812062ca87f21174a700d05c83d08a88f758e64668742271e720dc54e80003d
font_20_cff_off0016c6a6.bin pdf-font-stream PDF embedded font (cff) at offset 0x16C6A6 4346 bytes
SHA-256: c824803cd15ab4c1192750a064d8e9064835d5130bf1ebbfd18f832e0ffc3f25
font_21_cff_off0016d5b2.bin pdf-font-stream PDF embedded font (cff) at offset 0x16D5B2 2161 bytes
SHA-256: a61db8d5b61716ebb6bc84a4f00e6ce062782358857a0a6ad753d7bb190a0005
font_22_cff_off0016e290.bin pdf-font-stream PDF embedded font (cff) at offset 0x16E290 4657 bytes
SHA-256: fc84035512e115debbb334d4b94f997277700167ca9b3988ef891a43fc20fe5a
font_23_sfnt_off00178a53.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x178A53 12556 bytes
SHA-256: e2c9a7b78e8c6829822d5e133bddf4629a724b9b78e500da77f4c6bc3ab00b57