Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f9ac8583ee9a702…

MALICIOUS

PDF

1.05 MB Created: 2026-05-01 16:31:05 Authoring application: Dox PDF (via Amdocs Document Designer)
MD5: 0b80d8494375fad2f9073adbb85117f9 SHA-1: 2e8eb7b719b43111de849509e9e94f723490d6c6 SHA-256: 4f9ac8583ee9a70206f9c4a4085665323087b68b44641883b6dbe76bd0d47b12
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains heuristics indicating it's a fake invoice or payment lure, and also a callback phishing lure. It embeds external URIs pointing to payment-related websites. A generic JavaScript exploit stage was recovered, suggesting the PDF is designed to download and execute a second-stage payload, likely related to the phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 6

  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.maxis.com.my/en/payment/
    • https://care.maxis.com.my/

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off00080bd2.bin
02868d6a7e80d4e7836b6263dd50d26a63e923a1223c9e027aad6dc2501c27cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x80BD2 160696 bytes
stream_017_off000954f0.bin
16466ef65064e6f3885a6d2806b8949ac1ac38b524dd0cf8fc96565eb4cc28e8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x954F0 158604 bytes
stream_018_off000a98b4.bin
cd700ee3d24c662c8e54e92047837d8ef0a63492dc6f3134daf988ff7fe7cd4f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA98B4 77084 bytes
stream_020_off000bd30e.bin
b3eae010489f8440902f564db8cfd3d5811c9cb76fcc9c810dfb0d81c836d0bc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBD30E 73232 bytes
generic_stage_recovery_000.js
b18fbb3e97f6338cf85d53f5206c8b09dd2589397c269e3631ec7044e28a0a0b		 deobfuscated-js generic stage recovery marker-ce-to-%u from decompressed stream at 0x8DEA at offset 0x8DEA 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
12fdd0621cbed697a19cf1ad373dcb415fa533e0ac8f339fdc498ab23e82707f		 deobfuscated-js generic stage recovery marker-dedde-to-%u from decompressed stream at 0x42364 at offset 0x42364 174212 bytes
generic_stage_recovery_002.js
c57d07eaaf85e02bb5d3c67782019e6091390f386cc4778024712e4c9ed24b9f		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0xDA31B at offset 0xDA31B 62717 bytes
generic_stage_recovery_003.js
f7e3100c3ba1e0da10ae1de7dba8e1bd70fdcc09e4759e877951969623f02c2d		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0xEDE1F at offset 0xEDE1F 62107 bytes
generic_stage_recovery_004.js
92255edf3e3b6140a34fd20322990d1f11b439b93acbee659cfd914c36149e58		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0xEDE1F at offset 0xEDE1F 77458 bytes
generic_stage_recovery_005.js
0c0d6c678b35333b1a584e8754a30c02a114015d31d1fe7e44a04998e945b004		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from decompressed stream at 0xEDE1F at offset 0xEDE1F 62101 bytes
font_03_sfnt_off000b34b5.bin
ff06bff5d83843f5581ea7cef266f293d2af1826ea4c569a5a54379e0e572d81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB34B5 73612 bytes
font_05_sfnt_off000c714e.bin
51b5f0610956c53da468b3a01b357786bc22d3345a5aa9d14ebdb9c99c7f6c50		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC714E 72488 bytes
font_06_sfnt_off000d0afb.bin
49d10131ee82ab49c6c0661a3f2bc1687728fd16e591cf0d796b6d9d1021d10b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0AFB 77252 bytes
font_07_sfnt_off000da31b.bin
36e646517bb347dfd9159acac7731bd631d991b9a976dfd0a638aa4dea41f697		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA31B 78120 bytes
font_08_sfnt_off000e4029.bin
44567531851858845f920fedfefdc130c20660d05f62c76a425e55c1bbe9a0d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4029 73700 bytes
font_09_sfnt_off000ede1f.bin
2ff61ce3e9a4f24fb08d61b9fb98f24fcb27b6c9aa6674988dc708959e9d6614		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDE1F 77464 bytes
font_10_sfnt_off000f7a6f.bin
24571503140760240924dcd1238f77e7cd0454c0d8b0793990cefa2fad71471f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7A6F 163448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.