PDF static analysis report

Static analysis result for SHA-256 6b0e52aab7ae572a…

CLEAN

PDF

1.65 MB Created: Õ½tò‹0<åûÐþXu#Ì=]9ˆf Authoring application: Ðã) E›Ic“¨’¡*6ºx>R<–qË’ (via Ðã) E›PI‘í­¡ 6w‹R-T9) First seen: 2026-05-11
MD5: eef3321447689b7e69ea7d52970277df SHA-1: 46b5a0b61877949a64143171870a84fda50cbbad SHA-256: 6b0e52aab7ae572a51b8466beca29a247fdc2b7611cbaae80b7cdaec6b2bd5e7
16 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is encrypted and contains no readable text, relying on images and potentially invisible links to trick the user. Heuristics indicate it's an image-only lure with an AcroForm button that could trigger an action. The presence of embedded URLs, including suspicious ones like 'http://www.pc104.org/', suggests an attempt to redirect the user to a malicious site for further exploitation. The PDF structure and embedded content are consistent with a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.0527

Heuristics 5

  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pc104.org/ In PDF document text
    • http://anzeigen.automatisieren.orgIn PDF document text
    • http://www.monotype.comMonotypeIn PDF document text
    • http://www.siemens.com/In PDF document text
    • http://www.siemens.de/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://www.iec.chIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_033_off00039619.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39619 17557 bytes
SHA-256: 9424e3157f4bb1043e86a8bd89987d9f29a1f222bc21ad2c6048d66cc84d9942
Detection
ClamAV: No threats found
Obfuscation or payload: likely
343 of 493 identifiers look randomly generated (e.g. 'FqbDFUGpup5OCLwUdScNBbTGKEIB3PcnGkWqhcVZ'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_037_off00050456.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x50456 16243 bytes
SHA-256: 39dff670fd36baa4daca9ad4ee50771a0f8ae071c9f898f9e5f0eb6fcafa1f7f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
136 of 270 identifiers look randomly generated (e.g. 'sdRuFIZklt0jbi5c1jNW4gmlNh2r74q9Os9PtLBW') — consistent with name-mangling obfuscation.
stream_041_off00066d7b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x66D7B 29426 bytes
SHA-256: 7f22c065a4e9571021f055896c5ec5af322d9aa40184f63610bb430545a20f64
Detection
ClamAV: No threats found
Obfuscation or payload: likely
571 of 772 identifiers look randomly generated (e.g. 'GaG5hjuLeRZoZlEkckZDI6MOSsrLUEEHY4quV0cs'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_042_off0006f082.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6F082 8928 bytes
SHA-256: a52939c26bc40060f4052671a033d5c74a69c12ab3fbf9064d5c38e602043a67
stream_054_off0009d3b7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9D3B7 31160 bytes
SHA-256: c5af4747e2f03d20dbef1ea96606a8729f97ea7b2d0ea1756f87e325b07a1140
stream_111_off000e24d6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE24D6 16499 bytes
SHA-256: 853cc2a1da64462e463d2bcac0abbcbbf1d5bc86302365e338f3b619b0895180
Detection
ClamAV: No threats found
Obfuscation or payload: likely
322 of 484 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_125_off000e99a2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE99A2 11793 bytes
SHA-256: 8812c7063f88f06446bfb6d71da48912433cd8912d810d2173d7948f83f82987
Detection
ClamAV: No threats found
Obfuscation or payload: likely
240 of 350 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_127_off000ebb4d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEBB4D 28063 bytes
SHA-256: 9ad49362016069a0dea768299e1f6371db77ab3a5fa010796334b3864ef05627
Detection
ClamAV: No threats found
Obfuscation or payload: likely
328 of 488 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_129_off000ee5c6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEE5C6 10473 bytes
SHA-256: bf643491ae5e8cc29c8585a14edfa7617314b390086d081a52ac9d91b49c82e8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
199 of 295 identifiers look randomly generated (e.g. 'UTirsVeK6v8AnN5lsLvzJYiGBrq0vJIdHPptT0be'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_131_off000f0055.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF0055 34511 bytes
SHA-256: e1f9a1b908d07ceafb5a3e08e30b3ed589490e15e5ed3ab130fb96af1596c7a8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
464 of 664 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 12 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_149_off000f6183.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF6183 14721 bytes
SHA-256: 126ba3f6635a9e52ae902a6b4aa7368f2213fb7276df0586b8fcf8b0bf2f0b18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
349 of 493 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_164_off0014045e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14045E 35738 bytes
SHA-256: dd5e4439432d2ea3e7f1869c39a05a2dc4bdb47deb0cb79a68b7fdf2fe10bdae
icc_00_off000d6151.icc pdf-icc-profile PDF ICC profile at offset 0xD6151 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off000fd2ac.bin pdf-font-stream PDF embedded font (cff) at offset 0xFD2AC 7046 bytes
SHA-256: 5090a458bd9c1cd2eb7ed5e9f5627352404b13d6708bc7dc35b2792b2be2e75d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_01_cff_off000feb78.bin pdf-font-stream PDF embedded font (cff) at offset 0xFEB78 6242 bytes
SHA-256: a0768638fe8c0f8c645a670bf70b2806596da2b3ce6c5e50628158cc26b90850
font_02_cff_off0010013d.bin pdf-font-stream PDF embedded font (cff) at offset 0x10013D 4603 bytes
SHA-256: 1fb41b5c84f011c3c640236e793da9e48d7e273440359c5c5746916901641f81
font_03_cff_off001011e0.bin pdf-font-stream PDF embedded font (cff) at offset 0x1011E0 2245 bytes
SHA-256: 165cd5bc804d5c35921b3948ab0d55dd49a3a375db20ac630846de6514c2c14c
font_04_cff_off00101a83.bin pdf-font-stream PDF embedded font (cff) at offset 0x101A83 5935 bytes
SHA-256: a114e1e8916eeceb4432beb4533a2f75fdab70a30273194ea75f00fe47f97c07
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_05_cff_off00102f92.bin pdf-font-stream PDF embedded font (cff) at offset 0x102F92 10076 bytes
SHA-256: 8959b1d95ce4cdd9931c8d20247b9d1585ed7125828b807d5e848a665480bbc3
font_06_cff_off0010af8b.bin pdf-font-stream PDF embedded font (cff) at offset 0x10AF8B 4027 bytes
SHA-256: 4c9950ef57d45e7416294b721643c2d77373b594fcca160a37e9ae354553673f
font_07_cff_off0010be31.bin pdf-font-stream PDF embedded font (cff) at offset 0x10BE31 5926 bytes
SHA-256: 4e2b0c49283d5df4b1b3865c6705617f774fdb5e04c11c14ec150c7f881903f7
font_08_cff_off0010d316.bin pdf-font-stream PDF embedded font (cff) at offset 0x10D316 2635 bytes
SHA-256: 31380158bb070968e489e297db7dd2e06f65be8ec5d2847fc1825f3d6445b03f
font_09_cff_off0010dce7.bin pdf-font-stream PDF embedded font (cff) at offset 0x10DCE7 6103 bytes
SHA-256: 98d011ef71c3089d151d4064db8326c0a66cf613836f2b4e1b7bdbac6ddb054d
font_10_cff_off0010f0d3.bin pdf-font-stream PDF embedded font (cff) at offset 0x10F0D3 1948 bytes
SHA-256: 3e1393676563996e72e28a55e5185d12d9f9b0d42bf4b5d271fd1ef01a5dc6d7
font_11_cff_off0010fc75.bin pdf-font-stream PDF embedded font (cff) at offset 0x10FC75 1891 bytes
SHA-256: 817b104e75a8764ed0d266b10a053959f5f3a7f822991515d3d5054ea6351e50
font_12_cff_off00116fbd.bin pdf-font-stream PDF embedded font (cff) at offset 0x116FBD 2750 bytes
SHA-256: 502bdaf207940c236dd040c8efb2ce6f50db4bdb6df0dd97d6fb9a0c0968b6a4
font_13_cff_off00117aec.bin pdf-font-stream PDF embedded font (cff) at offset 0x117AEC 4405 bytes
SHA-256: 1bcf458b6eb005b8d8c6afc72cf478d2dd8dcd6797563a173c7cf3ac5e911fa1
font_14_cff_off00118ac6.bin pdf-font-stream PDF embedded font (cff) at offset 0x118AC6 4988 bytes
SHA-256: 6e58b906f1d33e30b1aa1353570f57b50f2eebf40fac5128d83c27853b6e7fe3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_15_cff_off00122d4e.bin pdf-font-stream PDF embedded font (cff) at offset 0x122D4E 1224 bytes
SHA-256: 81f0fc9fe9026c36166a659f2e0acb9cf5bb28b3a69a2dce15ced857cf0c3a93
font_16_cff_off0012321d.bin pdf-font-stream PDF embedded font (cff) at offset 0x12321D 4785 bytes
SHA-256: 6678525312cf31e7356e42bd0dd8b0d274728676249a6c86d187318d44764f5f
font_17_cff_off0012738c.bin pdf-font-stream PDF embedded font (cff) at offset 0x12738C 1847 bytes
SHA-256: 577b91f06ee059c838f8db8719e1d37e9e0bec5762854296b2aa103b27f76b04
font_18_sfnt_off00127ec1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x127EC1 63412 bytes
SHA-256: 8e12f46e16e318eeeb230e9c7fa3b7bf5e878d899324976fb35e88cbf8e1dd7a