Malicious PDF — malware analysis report

Static analysis result for SHA-256 433cf0d55e5d2e06…

MALICIOUS

PDF

65.1 KB Authoring application: Qù¸µ ‘"ýž„+U¨v°Žš‘18ÑOAH~t First seen: 2026-05-09
MD5: cafb758514b16678a7bc2fd4e3f98107 SHA-1: 50cbebf1a83dc98ab0d05327226bde9143747a59 SHA-256: 433cf0d55e5d2e0648ef4ee4abaf76a2ba1d35b616bb4f7ed87eb8e9cc80aad0
64 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains an embedded URL that triggers a remote GoTo action, indicating an attempt to redirect the user to an external resource. The PDF is also encrypted, which can be used to hide malicious content. No scripts were extracted from this sample. The benign URLs are likely standard PDF namespace declarations.

Machine Learning

  • Nyx PDF Classifier clean score 0.0147

Heuristics 4

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action medium PDF_GOTO_REMOTE
    PDF references a remote or embedded document via GoToR/GoToE with an extension-less or unresolved target
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\rid9nroqwc5dnzfefe3eyi9rfil89x.burpcollaborator.net\test In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000097fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x97FB 34064 bytes
SHA-256: 3087b79b042496e1b0871f305b97ca0b56f6a6b97984bb74b424acbf012bbaca
font_01_sfnt_off0000cd7a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD7A 32728 bytes
SHA-256: 402efc90864363c89304aee1e27bd1ea90a170e5ec9f9e8e7927cb11b3740663

Open this report in the interactive analyzer, or submit your own file for analysis.