Malicious PDF — malware analysis report

Static analysis result for SHA-256 27a8ca256fafc1df…

MALICIOUS

PDF

44.6 KB First seen: 2026-06-07
MD5: 8932d48e6bd7cc373b50a9f2c30094f5 SHA-1: c22a2dcee82ee11b6593bfa6235f010141ef8fb7 SHA-256: 27a8ca256fafc1dfc4bac43a49cdc51aba179369fb9daa8d6301d181e30d8fbf
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an image-only lure, typical of phishing attacks, with a clickable URL disguised using PDF string escapes. The document's content suggests a fake invoice or payment request, aiming to deceive the user into interacting with the embedded link. While the extracted URLs are confirmed benign, the overall structure and heuristic firings strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0196

Heuristics 4

  • Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE
    PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 44 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=openid&prompt=none&client_id=8f815968-5fd0-4b50-b541-67ca8aa7593f&state=todd.payne@wilsonsadvisory.com.au In document body
    • http://en.wikipedia.org/wiki/MIT_LicenseIn document body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000c39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC39 14840 bytes
SHA-256: cfc84db5b3e007fbb0538770b3f9ec550d9bb90e0d3de67c9242647215b90aa0
font_01_sfnt_off0000277c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x277C 17020 bytes
SHA-256: 5c3fd361b25404dd1388a761164bfcc24aa90b322aaa9e092786f63764ae0c3b

Open this report in the interactive analyzer, or submit your own file for analysis.