Malicious PDF — malware analysis report

Static analysis result for SHA-256 480ca8d806f6f49d…

MALICIOUS

PDF

476.9 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-06-07
MD5: aac2a926e8192bf1594fe7cca5304fa2 SHA-1: e5505e987240c93892310e3d1cc66771daab9c27 SHA-256: 480ca8d806f6f49d0d5ebdff04720a43a0d2458670137198df9e3b2d5a964c2b
68 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • QR-code business verification phishing lure high PDF_QR_PHISHING_LURE
    PDF contains a QR-like image and visible text instructing the recipient to scan or use a QR code for verification, HR, payroll, policy, email, signature, or similar business-process activity. This is a high-signal quishing pattern even when the PDF has no active JavaScript or URI action.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_047_off00041de8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x41DE8 18240 bytes
SHA-256: a2c05697b5e85ae44c5ebbd7043315fd0deb6c369eb3c21604d8d63feb3c8170
stream_056_off00046b47.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x46B47 61272 bytes
SHA-256: 0ae7b1af0d6e33407f4b498efefbdcdd4d74160bb10de5b1988122b1e3b5c41a
stream_076_off00059958.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x59958 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_01_sfnt_off0004f54b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4F54B 13880 bytes
SHA-256: e6eaa2f3c67f24de07061a4e7b85841f4333efbed877d9524db2538dcf313b8a
font_02_sfnt_off0004fe37.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4FE37 217684 bytes
SHA-256: 4f4d322550eaaa36b77995b80ca9550ff5b249d09f78aba9e29c1530f7d1eff9
font_03_sfnt_off00050eb5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50EB5 29100 bytes
SHA-256: 50d0e023038d258eacaad0e60beadfc66d43519f14aac2e75488b54d734dc845
font_04_sfnt_off000517eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x517EB 20084 bytes
SHA-256: 6b2b6a03094d45bc5cc0af8a8017d2b432aea997d610fbe40f2e6ffa2dbfad2e
font_05_sfnt_off00071472.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71472 1000 bytes
SHA-256: 8852dc3465b293666e0341adfee088f623b0d3b79f4a265559d031001c00af63

Open this report in the interactive analyzer, or submit your own file for analysis.