Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c05a877cfddde9a…

MALICIOUS

PDF

165.2 KB Created: 2026-05-07 13:37:48 +00:00 Authoring application: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.0.0 Safari/537.36 (via Skia/PDF m143) First seen: 2026-05-29
MD5: 30d760548be1514ffed819716a75f575 SHA-1: 1f336d6bcf819ab353c375d6904e60d0db81fe02 SHA-256: 9c05a877cfddde9a609c4a8e73b3f755610d0964a7b1ad0c5c6bb4b85c01d71b
82 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://socialsecuritystatementforyorrreview.vorlixa.cfd/statement2026 In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00000196.icc pdf-icc-profile PDF ICC profile at offset 0x196 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off00015306.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15306 23300 bytes
SHA-256: a0950825ae656a3689afdedfd1345df86a481e3f4da154a99fc652cce1c21d48
font_01_sfnt_off00018da1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18DA1 37524 bytes
SHA-256: a1bcab221bdd608d55715ce3162f0644d32943ab522669036fa02fa670fe2312
font_02_sfnt_off0001e89c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E89C 24016 bytes
SHA-256: e36107e9480c00a41508d50a3fd75aa0785a2094ff7d0337a30206f0fafa69e2
font_03_sfnt_off00021f78.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21F78 28128 bytes
SHA-256: eb752bf43d7386b2b3861143b872f99105f05fa12f5db90882f64ddef26d4cc5
font_04_sfnt_off00026235.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26235 18552 bytes
SHA-256: b11713d3d508af81ccb412154b70769996b6919fc04a4076727c92869ce1d3c1