Malicious PDF — malware analysis report

Static analysis result for SHA-256 6424bc22c27cbffb…

MALICIOUS

PDF

98.0 KB Created: 2026-06-04 20:25:25 +00:00 Authoring application: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.0.0 Safari/537.36 (via Skia/PDF m143) First seen: 2026-06-05
MD5: 2b8feaf072aee83e33e9bdd4d742ee6e SHA-1: 3aaaf0019b5684e5c5980b6eb8a8e2e9cb4f7148 SHA-256: 6424bc22c27cbffba8ee8be1eba8215241bfa2e84a7dd35c72e297c2278c7d15
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • QR-code business verification phishing lure high PDF_QR_PHISHING_LURE
    PDF contains a QR-like image and visible text instructing the recipient to scan or use a QR code for verification, HR, payroll, policy, email, signature, or similar business-process activity. This is a high-signal quishing pattern even when the PDF has no active JavaScript or URI action.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00000196.icc pdf-icc-profile PDF ICC profile at offset 0x196 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off0000712a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x712A 53476 bytes
SHA-256: 24cccdd0644250268151c99572dc20187d4ca8050f5c7a74c6fea6169a9ee690
font_01_sfnt_off0000fee6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE6 33264 bytes
SHA-256: deb061c0d40cbe9d567f4484877b2ff728dec3298ccdeca6617d5fea784c2a0a
font_02_sfnt_off0001577d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1577D 17012 bytes
SHA-256: 74d544edcf2ba2606680c355d0a5c8c2781ec37c0e686e5415350d7931249fc5