Malicious PDF — malware analysis report

Static analysis result for SHA-256 983099b868165216…

MALICIOUS

PDF

474.6 KB First seen: 2026-05-08
MD5: 79df2e3ca6a091a978ca838b36339357 SHA-1: 76b6784113084ad5d5db3740d9226d10a156f48b SHA-256: 983099b86816521628c40e5523921eae2ec9bcccafb7a0ab422647aa8428cfd5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a hidden HTML iframe, a common technique for redirecting users to malicious websites. The embedded URL 'http://www.ereading.cz/mamu.htm' is of unknown reputation and is the most likely destination for the iframe. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0067

Heuristics 5

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ereading.cz/mamu.htm In PDF document text
    • http://www.color.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/iX/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/swf/1.0/In PDF document text
    • http://www.w3.org/1999/xhtmlIn PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0089.bin pdf-embedded-file PDF EmbeddedFile object 89 at offset 0x73D66 26650 bytes
SHA-256: baf559d65f9607a6f20f73084a601619062e86465aa9e5edb6bfd0b864f94b55
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 long base64-like blob(s).
stream_013_off00023aef.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23AEF 322494 bytes
SHA-256: caa48ff29a0415c919856d3da76fc5d4843de20ab9e9e1d8d02f017185493172
stream_014_off00055b0d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x55B0D 6484 bytes
SHA-256: 2adacffff43d65cb492f665522ed947c157de7209c16a087210e5f2059202ce4
font_00_cff_off0005eead.bin pdf-font-stream PDF embedded font (cff) at offset 0x5EEAD 3374 bytes
SHA-256: 65a50c6be92cb5b7ce65af19a624e52327f14e96d1d1cb2e76e5bbe034024b61
font_01_cff_off0005fa21.bin pdf-font-stream PDF embedded font (cff) at offset 0x5FA21 2236 bytes
SHA-256: e1bc275d74d58ae26853946783e242442668d33e23ee1c40f6ee418413c019d4
font_02_cff_off0006041c.bin pdf-font-stream PDF embedded font (cff) at offset 0x6041C 4393 bytes
SHA-256: 3510cf6fcd42ee99080213d2f1b01ade152acdcb43c3bb3900831f6f8aadb884
font_03_cff_off0006125f.bin pdf-font-stream PDF embedded font (cff) at offset 0x6125F 1330 bytes
SHA-256: d8c2a110bc9fe3cb8a41089430a9da6cc9a34d4873114360cc5fd861881546e7
font_04_cff_off00061a2f.bin pdf-font-stream PDF embedded font (cff) at offset 0x61A2F 2444 bytes
SHA-256: 6bdbc3f2440e14f6b1e15b599c0b040b0e978f7ec317434e31bd4507a7722ca5
font_05_cff_off000623ae.bin pdf-font-stream PDF embedded font (cff) at offset 0x623AE 18632 bytes
SHA-256: 865e1a085388e8bba85090df21c4cd05489e5bc936e93ac5bffacc7871789aa4
font_06_cff_off00065e47.bin pdf-font-stream PDF embedded font (cff) at offset 0x65E47 16937 bytes
SHA-256: dfda8a8b2d823278c61f1e0493045df86abdbccdba0304fb7fa7c9e97fc7e9d4
font_07_cff_off0006943b.bin pdf-font-stream PDF embedded font (cff) at offset 0x6943B 14587 bytes
SHA-256: 48e3a144257b4b0f01cda5fd82c74900d6d7a8dd7294dc57f55415ec0ab3e0f4
font_08_cff_off000700c1.bin pdf-font-stream PDF embedded font (cff) at offset 0x700C1 11726 bytes
SHA-256: c14a5b1146f58db821e5ca7e6d4efdc52ce8e3eb46b2b81091a402433dd3ec14

Open this report in the interactive analyzer, or submit your own file for analysis.