Malicious PDF — malware analysis report

Static analysis result for SHA-256 66e154402f739197…

MALICIOUS

PDF

89.5 KB Created: 2022-05-05 23:33:15 +03:00 Authoring application: mPDF 7.1.0 First seen: 2026-06-10
MD5: b68cd4c73d24d64faa0ba10c48974852 SHA-1: 5a5af282136047d201fa616a8f5333171dd16c1e SHA-256: 66e154402f7391974bf7151a4b627a32c59a62150e0c2205bc5efa477dcc7b64
112 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 5

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://filesoftclub.club/fc/brookstone PDF link annotation
    • http://www.fiacasyfutones.com.ar/userfiles/cummins-engine-repair-manual.xmlIn PDF document text
    • http://piqiso.ru/userfiles/cummins-engine-service-manual-pdf.xmlIn PDF document text
    • http://www.raumboerse-luzern.ch/mieten/bosch-shu43-manualIn PDF document text
    • http://floreswindows.com/images/compaq-presario-4824-manual.pdfIn PDF document text
    • https://hund-gerecht.com/images/compaq-presario-4814-manual.pdfIn PDF document text
    • http://dag.ru/www.risingstars.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1627317b2bb451---briggs-and-stratton-generators-5500-manual.pdfIn PDF document text
    • https://www.thebiketube.com/acros-bosch-shu4302uc-manualIn PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00007f1b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7F1B 19996 bytes
SHA-256: 8e639af5f37a01c952d7fa5ae521c275babc199f4d44038938bf51c1324a673d
font_01_sfnt_off0000b4f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB4F7 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
polyglot_child_pdf_off0000000f.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xF 91672 bytes
SHA-256: f2e24234130a4fb09fdede2fa54df964e58921219c189c6a705089c6b350e644
polyglot_child_pdf_off0000001e.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1E 91657 bytes
SHA-256: fc60fa01c44b8ae4aae5575f72cb72847c9625bd12743081b3bfb2e23f5af69d
polyglot_child_pdf_off0000002d.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2D 91642 bytes
SHA-256: a08965565f2100596fc9269c37c7dc5769db52ed728f33d1aa9a20ef43f2e4e4
polyglot_child_pdf_off0000003c.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3C 91627 bytes
SHA-256: 01550cd754fab178071b07be9bd52fb71f180693f23b3cf5b332913476c0c535