Malicious PDF — malware analysis report

Static analysis result for SHA-256 42565fffd56997b6…

MALICIOUS

PDF

96.3 KB Created: 2021-12-08 06:25:50 +03:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-15
MD5: f97943d60e17a47d690f4a01eb6116a5 SHA-1: aa3ce642b375507a224654306ccf5459cfe7340d SHA-256: 42565fffd56997b689c84fe66db13c3bf7decf09044c40b20a636c9e81300980
64 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0239

Heuristics 4

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://getpdf.pw/book?res=123&isbn=9781526707543&kwd=The%2019th%20Century%20Criminal%20Underworld PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4660533/normal_61afae0ba3aa6.pdfIn PDF document text
    • https://static.s123-cdn.com/uploads/4659890/normal_61af84dcd6eba.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00011f34.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11F34 22352 bytes
SHA-256: c6910d93053802784ee178c67d79d998d49845ce1463874c6fa3b24af94747de
font_01_sfnt_off00015354.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15354 19904 bytes
SHA-256: 1c088e7163f9de82535095ce5cbceb5c4eb3c3dca475d4f206adedc1ccb78a06