Malicious PDF — malware analysis report

Static analysis result for SHA-256 49f1f8c5de7f9508…

MALICIOUS

PDF

243.6 KB Created: 2015-10-01 14:27:01 -07:00 Authoring application: RAD PDF (via RAD PDF 2.32.6.0 - http://www.radpdf.com) First seen: 2026-05-04
MD5: 8c428fa4c576feac33cb1ae1d2e00c23 SHA-1: b98408837eb7497ec2340d5fb6b507dfd99175ab SHA-256: 49f1f8c5de7f9508c7972d777c08c8c1b147c97afc17ca7cba67b70544e61164
64 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.2169

Heuristics 4

  • Image-only PDF lure links to a brand-impersonating path on an unrelated host high PDF_IMAGE_LURE_BRAND_PATH_LINK
    PDF is image-heavy with little real text and its clickable action targets a URL carrying a brand name ('adobe') as a path segment on a host that does not belong to that brand and is not known-good (e.g. 'sodecoperu.com/Docusign/index.php'). This is the credential-phishing carrier shape where a compromised or unrelated host serves a brand-named phishing kit behind a screenshot-like lure page. Distinct from the typosquat-host rule: here the host is honest-looking but the brand lives in the path.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 243 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shridantrust.com/photos/lo/adobe/adobe.htm PDF link annotation
    • http://www.dynaforms.comIn PDF document text
    • http://www.radpdf.comIn PDF document text
    • http://www.iec.chIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000447.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x447 169476 bytes
SHA-256: a6eacb5f4c318f191f5c7ef56b8a9d24965db43dd12e86dc8eafc984e1163d47
font_01_sfnt_off0001340f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1340F 39788 bytes
SHA-256: 71f04eb0a43e49cb119288ed8821d0c62f8ea4e454b9af74768f689464c0e526