Malicious PDF — malware analysis report

Static analysis result for SHA-256 888e8b3c27d24c2c…

MALICIOUS

PDF

588.1 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-19
MD5: 3ecdaf3954d5aad289a2571c48f4d6b8 SHA-1: 5dbe143503ca31a0fda04979460d1eb84b799454 SHA-256: 888e8b3c27d24c2c9d41123eeaed185cebf1265a30e19f38226652074b524e3c
64 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0067

Heuristics 3

  • Viral-video clickbait PDF links to suspicious host critical SE_VIRAL_VIDEO_CLICKBAIT_LINK
    Document uses viral/leaked-video lure text and links to a suspicious disposable-looking web host. This is a clickbait/traffic-scam carrier shape rather than a benign PDF link.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adec1fp0v0mhh1b2mg2zzqzz5e.hop.clickbank.net/ PDF link annotation
    • https://adec1fp0v0mhh1b2mg2zzqzz5e.hop.clickPDF link annotation
🗂 Part of campaign: hop.click 53 samples

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000031d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31D 657072 bytes
SHA-256: c4596bb3a4818a5d4628f3f2a9253048c5d20cd1121a364fc5041e15cbabcdb2
stream_016_off00082f97.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x82F97 59140 bytes
SHA-256: e2513c6ada7739e2117e624a8faf609dbdf1e54a049c5555761c95853f680c00
icc_00_off00000146.icc pdf-icc-profile PDF ICC profile at offset 0x146 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_01_sfnt_off0008b9f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8B9F2 31516 bytes
SHA-256: 8ca8395031899c024bb3c12bb84d3f2f0a911922c5aec121d424474c8e89e87c