Malicious PDF — malware analysis report

Static analysis result for SHA-256 6935581c3d969f7e…

MALICIOUS

PDF

436.0 KB Created: 2025-03-21 16:15:19 +00:00 Authoring application: Canva First seen: 2026-06-10
MD5: 6fae300a73a1020c7508b65635b56ce9 SHA-1: fe21fca275483c4e2386e5137c96b2e2fbaffc03 SHA-256: 6935581c3d969f7eebb568bc43e8288c8009ed384b827bfce88ee99f570081ec
82 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 4

  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://secured.project.requirements.doc.filenest.site/view/project_file.pdf In PDF document text
    • https://rebrand.ly/82b4fdIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00033909.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33909 878220 bytes
SHA-256: a4e6194a8d184a987de53f9050d0e8b9f1d885deefc2bbfeca30b60064aa7636
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
icc_00_off00064386.icc pdf-icc-profile PDF ICC profile at offset 0x64386 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off0006b5fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B5FC 6452 bytes
SHA-256: a3deedbf4f4b480380b645972ef9732746621a8ec8fc2e5471042f3fc9de3230
font_01_sfnt_off0006c271.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C271 3392 bytes
SHA-256: 8ebc8c6b1b9d1163e4e013f16f481f190d86cc8061b6a584fd046021f7957de9

Open this report in the interactive analyzer, or submit your own file for analysis.