Malicious PDF — malware analysis report

Static analysis result for SHA-256 4af1b1dba981352d…

MALICIOUS

PDF

45.7 KB Created: 2026-05-07 07:49:21 -07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 263d04190b3970f681a690043c771548 SHA-1: 52a9a14ac029e7ed1b86921747a152d68823d701 SHA-256: 4af1b1dba981352dcdc1ebc0a506d9e2b8487fa9f9de987369c8285f92a7381f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1539 Steal or Harvest Credentials

The PDF document uses lures consistent with credential harvesting, specifically impersonating a document signing service and requesting MFA confirmation. The embedded URI points to a Microsoft login authorization endpoint, likely intended to capture session tokens or credentials. No scripts were extracted from this sample.

Heuristics 3

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • External URI info PDF_URI
    PDF contains an external URL action
    URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?mkt=421ab9cba9c3f39abb92f1055c11b59f&r=644363&x-client-ver=8c5d86bc29696157932514ff29fe15e0&ui_locales=59ec782e5da12d8d112902addee4cd30&response_type=d7200ede91af29f023b3e01964179751&prompt=none&state=6cb00a85c78c07cbc1d61fbd77b2751b%257CamVyYkBzZXNlbmcuY29t&x-client-SKU=39230d5ae85526091649f0f217901d52&client_id=d7834cdd-6c96-4fb1-8f7e-0aec0e45a68f&response_mode=e0ac79eb87fd028e1d0dadf3bf143ea4&t=1778165360&s=027f&scope=7f16960f32f6

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a1f.bin
fc9c98e4cb0ba0896babd78dff8dfbd37e9a6816051d3851ebb28b0cb69c61f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A1F 12648 bytes
font_01_sfnt_off00005cfa.bin
d9101d9b3491aefd934125c91667940c8e548c8e7705c521e895fb331100be70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CFA 11156 bytes
font_02_sfnt_off00006e22.bin
fea0a1c7537851f409c1c036a7d4b74e306d25bc72b26fd4a108e82eff92c959		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E22 15868 bytes
font_03_sfnt_off00008d70.bin
d8f0646c2b5f774a603864a4f8e6cc4773eded36e2e2e65266b2e4fc0c6179fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D70 17096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.