Malicious PDF — malware analysis report

Static analysis result for SHA-256 607dda50d88309f7…

MALICIOUS

PDF

984 B Authoring application: malicious-pdf (via https://github.com/jonaslejon/malicious-pdf) First seen: 2026-06-10
MD5: 3bfc68ee02c3fd0a57b2b11dd8e1caa9 SHA-1: e92c72e1043c3dfe680fa721bbf03ff725e3b0fe SHA-256: 607dda50d88309f7c2207cdb7360e9ed37f25661c2091059b0c1042ac229067c
84 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0130

Heuristics 4

  • Hex-obfuscated structural name object high PDF_OBFUSCATED_NAME_OBJECT
    A structurally-dangerous PDF name (e.g. /OpenAction, /Launch, /AA, /EmbeddedFile, /SubmitForm) is written with #XX hex escapes to evade string-based scanners. Legitimate producers write these names literally; hex-encoding them is a deliberate obfuscation technique.
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/jonaslejon/malicious-pdf In PDF document text
    • https://192.168.1.19In PDF document text