Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c8d56da48702e38…

MALICIOUS

PDF

248.3 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-06-06
MD5: c76b4ce7e041e63ceba3e23ba848da55 SHA-1: 2820c137c1581c4c05214ecbbc0f2a3a8a932b90 SHA-256: 9c8d56da48702e38a00ca71487a4e1dbaf68a8cbc2b698a9cea871baab67cfb5
76 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off000343df.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x343DF 56044 bytes
SHA-256: 7cc251af65c521118e6700a272f2915498b25291abadab838bb38afae1b7dc97
font_01_sfnt_off0003ca96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3CA96 217844 bytes
SHA-256: 4b77dc5aa6680292006e542c26930b4a8ad299f85e66879a3677fe3f946f9df3