Malicious PDF — malware analysis report

Static analysis result for SHA-256 095ffe0ddcf09a66…

MALICIOUS

PDF

9.84 MB Created: 2021-08-10 05:52:56 +00:00 Authoring application: calibre (5.24.0) [https://calibre-ebook.com] First seen: 2026-05-28
MD5: 31a552e49eff1bd56a7e94b418f9203f SHA-1: 1776774c7ef2efa82b53813c82bc35024fb5c4f9 SHA-256: 095ffe0ddcf09a66e7abdc8cd2a320af1c264eb6bb51fa34e842e2906003c219
84 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.2383

Heuristics 5

  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://snusertranslation.com/ In PDF document text
    • https://calibre-ebook.com])/ModDate(D:20210809225258-08In PDF document text
    • https://ncode.syosetu.com/n2267be/PDF link annotation
    • https://calibre-ebook.comIn PDF document text

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off000061cd.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x61CD 2579550 bytes
SHA-256: c93b75aaaf59d688f9020395de741c4674b0ad38fe5a101f5d5dfa0ccafabb7b
stream_076_off001a89fd.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A89FD 2910444 bytes
SHA-256: 7a74e8e0a8d9cfae5580b68011936c5f6784fe24f2cc162b7f989b2149fff195
stream_101_off002564b7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2564B7 2793030 bytes
SHA-256: f21899fed5d99650c4951ab6448928a85cc2425ac14a288589e99b318621c917
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled
stream_178_off0031681f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31681F 2793030 bytes
SHA-256: 56389a6924b6fa2c8d43e6797bbe2333df83baaa52c20fa31855192217723305
Detection
ClamAV: No threats found
Obfuscation or payload: likely
2538 of 3919 identifiers look randomly generated (e.g. 'AAAAAAAAABBBDDDFFFFFFFFFFFFHHHJJJMMMRRRU') — consistent with name-mangling obfuscation. Carved artifact contains 984 long base64-like blob(s).
font_00_sfnt_off0000232c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x232C 17704 bytes
SHA-256: 732d78afd0400c36ef1f8dc630eb5f98def1d299d94515ef90a4df8f35d81216
font_01_sfnt_off0018fb39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18FB39 34316 bytes
SHA-256: 546e8380d5b071504f480700e21eb99bfd00843a54ec25ad41d1156012ae1de9
font_02_sfnt_off0019d82d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19D82D 57204 bytes
SHA-256: fb14c5b9cd1b1e5d92f4c3979a24adf888f5b93a2fc30e99b58430ad2c6702a0
font_03_sfnt_off0019f537.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19F537 13808 bytes
SHA-256: fb1d60dfc9b48a865379c685da1086e7af8df9570b410687aafd9e992c770e89
font_04_sfnt_off001a3aa7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A3AA7 23428 bytes
SHA-256: 20f976b608ad8f6f659597e8873953ddce931dcd7edf81670b26366284dc5be8
font_05_sfnt_off00255248.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x255248 9024 bytes
SHA-256: c3fbc558fe06f67f0cc56496c0af60096782e42ea313c4ab923d9185d06382eb
font_06_sfnt_off003b5dd8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B5DD8 11252 bytes
SHA-256: 3cb69a3b7d20a76a5543cfa58f330eeee6ceb2ab7ecb5a7b213f3b5dc866113d
font_07_sfnt_off005b1ac4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B1AC4 18548 bytes
SHA-256: 2303e1f456833e968b198fa59411370bd410feea4c51e9a72f68f722ac986955
font_08_sfnt_off006667a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6667A6 37652 bytes
SHA-256: 7e572066580f3f3011bb4ad6ad6ac5fa373ff7ee03e923c0155747cb789cf108
font_09_sfnt_off0099f931.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x99F931 13700 bytes
SHA-256: 4729d189743b7fbd344e5fe19cd082dd6b0cf40cb2e26cb1dc51419d53080327