Malicious PDF — malware analysis report

Static analysis result for SHA-256 3076433e2475a695…

MALICIOUS

PDF

13.60 MB First seen: 2026-05-08
MD5: 5ca4045001a0c11cc1661c514499db6a SHA-1: efe12a2fcd20f1d13c27f270ea9f38f2d8645948 SHA-256: 3076433e2475a69532dfdfa020877d9b2247a0aa8760e354b3507e9b14a84095
88 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0087

Heuristics 7

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript submits form data to external URL high PDF_JS_SUBMITFORM_URL
    PDF JavaScript calls submitForm() with an external HTTP(S) URL. This can send form/document context to a remote endpoint or route the user into a credential-phishing flow. It is a behavioral indicator, not a parser exploit signal.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.sr-71.org/blackbird/manual/4/4-226.htm In PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-140.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-138.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/3/3-70.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/1/1-119.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/1/1-80.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/1/1-77.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-223.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-142.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-136.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-63.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/2/2-61.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/2/2-58.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/1/1-121.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/6/6-25.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/6/6-23.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/6/6-11.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/6/6-8.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/6/index.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-193.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-168.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-113.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-32.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-10.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-8.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-219.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-217.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-215.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-209.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-207.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-205.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-203.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-189.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-184.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/asars-1notice.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-149.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-145.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-124.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-123.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-119.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-117.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-102.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-100.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-98.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-90.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-60.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-58.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-56.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-54.htmIn PDF document text
    • http://www.sr-71.org/blackbird/manual/4/4-45.htmIn PDF document text
    +320 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj23519_000.js pdf-javascript-stream PDF /JS object 23519 at offset 0x4681F 145 bytes
SHA-256: df246024cf51d0eeefc96e4b3ddc6d6f4e67a9b06244fa1113b1c85ca7006c60
Preview script
First 1,000 lines of the extracted script
if (event.commitKey == 2)
this.submitForm("http://search.freefind.com/find.html", false, true, "NIBMOGOGABJLENFHOAOIDAFHLGILNACG.form2.x", true);