Malicious PDF — malware analysis report

Static analysis result for SHA-256 af8460c25791d7b8…

MALICIOUS

PDF

125.5 KB Created: 2025-06-17 19:35:28 +00:00 Authoring application: Chromium (via Skia/PDF m127) First seen: 2026-06-10
MD5: 0b751f2b3706aeec1628687a8e785a75 SHA-1: 5de0c95c7cec4a7aead767e3d16a0a4437c1bd22 SHA-256: af8460c25791d7b8ba23d214fa9899fc5762d8578c1248085688a52875c38113
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 2

  • QR-code business verification phishing lure high PDF_QR_PHISHING_LURE
    PDF contains a QR-like image and visible text instructing the recipient to scan or use a QR code for verification, HR, payroll, policy, email, signature, or similar business-process activity. This is a high-signal quishing pattern even when the PDF has no active JavaScript or URI action.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000015f.icc pdf-icc-profile PDF ICC profile at offset 0x15F 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off00010080.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10080 53660 bytes
SHA-256: 3d82cfd735c778428b08dfeb73e556bdc21860ec089378753a04e60647f86acf
font_01_sfnt_off00018406.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18406 31064 bytes
SHA-256: 77fb54c07d1a4f5c07f7538479085e369bb9e6e52b3aae882e575a63092d6f2a