Malicious PDF — malware analysis report

Static analysis result for SHA-256 205064af53c802ca…

MALICIOUS

PDF

86.6 KB Created: 2026-01-19 19:08:48 +03:00 Authoring application: PDF-XChange Editor 10.7.2.400 (via PDF-XChange Core API SDK (10.7.2.400))
MD5: a26c10d9353e03961c3e5e1787ad5d2c SHA-1: 3ca6ca878c7e239b2e89cb21a7cba2f3a7e093ad SHA-256: 205064af53c802ca95a0f902096c0e1f2684081b73c3f6e4005a1af9f778c6aa
68 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4265

Heuristics 4

  • Image/button lure links to file-hosting download high PDF_FILE_HOSTING_DOWNLOAD_LURE
    PDF is an image-only or near-image-only lure with a clickable action to a public file-hosting download endpoint. This is a common malware delivery pattern: the visible page is just a screenshot/button, while the real payload is fetched from the external hosting service.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 86 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • https://pixeldrain.com/api/file/6Bpe2iwx

Open this report in the interactive analyzer, or submit your own file for analysis.