Malicious PDF — malware analysis report

Static analysis result for SHA-256 97ab429714cd71fd…

MALICIOUS

PDF

131.7 KB Created: 2025-06-04 08:41:43 +00:00 Authoring application: Chromium (via Skia/PDF m127) First seen: 2026-06-10
MD5: 01633729ae50d0cdb8a67ef5be163ac1 SHA-1: 2744064e241e4d067edcb17cc9a9839463fe4527 SHA-256: 97ab429714cd71fda4d6f871da89d13deb01fdbd9996a50abd909a2adacc8625
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 2

  • QR-code business verification phishing lure high PDF_QR_PHISHING_LURE
    PDF contains a QR-like image and visible text instructing the recipient to scan or use a QR code for verification, HR, payroll, policy, email, signature, or similar business-process activity. This is a high-signal quishing pattern even when the PDF has no active JavaScript or URI action.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00004c2b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C2B 49152 bytes
SHA-256: 876a1bfc0e868d39fc361d6c9c0e4f4f53e1525b256248bfe97d30402b46468a
icc_00_off000001db.icc pdf-icc-profile PDF ICC profile at offset 0x1DB 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off00011749.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11749 53660 bytes
SHA-256: 3d82cfd735c778428b08dfeb73e556bdc21860ec089378753a04e60647f86acf
font_01_sfnt_off00019acf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19ACF 31404 bytes
SHA-256: 16d7c5091a1869241fd859be2990b37fc893f9a30acfafd1922bee7fdc31936d