Malicious PDF — malware analysis report

Static analysis result for SHA-256 704b0a4f2f2195d2…

MALICIOUS

PDF

41.7 KB Created: 2024-08-29 20:50:09 -08:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-05-13
MD5: 68053622c5cb645676c534fea7c4642a SHA-1: a0dd8dcff49d57cfcb73bd206985f45db1483de4 SHA-256: 704b0a4f2f2195d22340471b9bdb06244047f7042728dd7f6aa6e3c5e30c9bc1
62 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0047

Heuristics 3

  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tiny.cc/295kzz In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C6C 27700 bytes
SHA-256: 0843c61ff6788cca507c5361dc3ab514dad4f5a1347c8e8d4334fce23fe5c911
font_01_sfnt_off00006886.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6886 19276 bytes
SHA-256: 878313ee56c22937453c9e85b446a0cc7d3f7c48ec301f05ed94ee6384fe7284
font_02_sfnt_off00008e0d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E0D 13372 bytes
SHA-256: 7501f416f55df2e24438dc872cf422e9280ef0d34e979e6915599eef21de2821