Malicious PDF — malware analysis report

Static analysis result for SHA-256 13b351cbf9ddfcb8…

MALICIOUS

PDF

624 B First seen: 2026-06-08
MD5: b71a3d7e3d1f964aa81a21e147781557 SHA-1: d1443cb2c225aa06db7c422adabf5b5feb25e389 SHA-256: 13b351cbf9ddfcb8afc99ea1773cd52a73d2c143df93881cd60403fd6aa6c3f4
98 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to a request-capture / data-exfiltration sink high PDF_EXFIL_SINK_URL
    PDF has a clickable HTTP(S) action whose destination is a request-capture / exfiltration endpoint (webhook.site, requestbin, beeceptor, pipedream, interactsh/OAST, burpcollaborator, canarytokens) or a throwaway tunnel (ngrok, trycloudflare). These services exist to receive arbitrary inbound requests, so they are essentially never a legitimate destination for a document link — the file is exfiltrating recipient/credential data or staging C2.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://webhook.site/f485c6c9-2587-4d66-b258-4cd52e1d244a In document body
    • https://webhook.site/In document body

Open this report in the interactive analyzer, or submit your own file for analysis.