Malicious PDF — malware analysis report

Static analysis result for SHA-256 040cf0a97885eac9…

MALICIOUS

PDF

2.03 MB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-22
MD5: e82ff4ff85656d6c2573be39e34868ac SHA-1: 448fb1225dc51ffd60f077ca21bb090ea6b70f4d SHA-256: 040cf0a97885eac96d58f2ba5498e9302a857e215741d0773466fb6e015c9f4a
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs that lead to suspicious domains, one of which is flagged as unknown. The document body text, while appearing to be a review, is likely a lure to encourage users to click these links. The presence of external URIs and suspicious hosts indicates an attempt to redirect the user to a malicious site, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 4

  • Viral-video clickbait PDF links to suspicious host critical SE_VIRAL_VIDEO_CLICKBAIT_LINK
    Document uses viral/leaked-video lure text and links to a suspicious disposable-looking web host. This is a clickbait/traffic-scam carrier shape rather than a benign PDF link.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://5debdre4s0m6dz3jum1dlsxo30.hop.clickbank.net PDF link annotation
    • https://5debdre4s0m6dz3jum1dlsxo30.hop.clickPDF link annotation
🗂 Part of campaign: hop.click 54 samples

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000002c7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C7 349848 bytes
SHA-256: 0b68c76c2eeee8ca2d52b61dd2cc1a1b52b6ff7d1c7324da6f7a94469647f3aa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.60, consistent with packed or encrypted content.
stream_004_off00051757.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x51757 638676 bytes
SHA-256: 10a047902c62442d429253570987fad613b2e0fabf436cf3891856582ff94515
stream_006_off000c1591.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC1591 611556 bytes
SHA-256: 489b7761f8d91b3891d38cd318812847f1d8c9f52c0b87c7f9d243848bef2d24
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
stream_010_off00140635.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x140635 408156 bytes
SHA-256: 6e092989f2fc28ed2aab5bc3db0b932f9dc62baf0f1479e50552aa082fcd1fa2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
stream_012_off001853b6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1853B6 611556 bytes
SHA-256: 6addc4ae8b09710a2616d356feb27fdb62fb5b0a1255698f71bb0c411f2fdfe1
icc_00_off000000f0.icc pdf-icc-profile PDF ICC profile at offset 0xF0 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off001f8158.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F8158 55248 bytes
SHA-256: 71f28ea25ed70a792cfaa5394239313e8f22344edf1de92fe11a91c1bad14955
font_01_sfnt_off001ff8a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FF8A5 36132 bytes
SHA-256: b3eb3ee8b538332ad2f924c1906635fd08688655d6f8a08a03de21f9b543d8c9