Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a5a71292682bee3…

MALICIOUS

PDF

881 B Authoring application: malicious-pdf (via https://github.com/jonaslejon/malicious-pdf) First seen: 2026-06-10
MD5: 13e69f359d93f2a11c677f6d41e9eddf SHA-1: 2c6533a8126efb2c26ffe573d0c273528020c681 SHA-256: 3a5a71292682bee3b8135d02c90897834bd9d298a394441e3ffc026a8c04be72
80 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9949

Heuristics 3

  • Hex-obfuscated structural name object high PDF_OBFUSCATED_NAME_OBJECT
    A structurally-dangerous PDF name (e.g. /OpenAction, /Launch, /AA, /EmbeddedFile, /SubmitForm) is written with #XX hex escapes to evade string-based scanners. Legitimate producers write these names literally; hex-encoding them is a deliberate obfuscation technique.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/jonaslejon/malicious-pdf In PDF document text
    • https://github.com/jonaslejon/malicious-pdf1In PDF document text