PDF static analysis report

Static analysis result for SHA-256 3f91550c1c6253da…

SUSPICIOUS

PDF

66.2 KB Created: 2023-01-22 14:26:42 -07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-05-13
MD5: 482f1fc089c81d8c03498c39dd01792c SHA-1: d487303a46c4aac5ae531508eb578c1799222241 SHA-256: 3f91550c1c6253da76c8167540a793d32351586197a361d3c4590a19d0bc9b0d
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic indicating it's a lure for a password-protected archive, suggesting a delivery mechanism to hide a malicious payload. It also embeds a URL that could be used for further stages of the attack. No scripts were extracted from this sample, limiting the ability to determine specific execution methods.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://thelivinbrand.com/is/is.php PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c26d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC26D 12340 bytes
SHA-256: 8cfa53d1ad4b9c44fd50763e2b771a3d74e900fbd4a10f1be120e571d3195c7a
font_01_sfnt_off0000d46c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD46C 23648 bytes
SHA-256: 6e7eba5b20609166ae36076aabd0e04ff30af0fbdf9619d35274725eca0a414a