Malicious PDF — malware analysis report

Static analysis result for SHA-256 b54371228b9a9657…

MALICIOUS

PDF

438.8 KB Created: 2026-03-31 12:29:51 +02:00 Authoring application: Microsoft® Word a Microsoft 365-höz First seen: 2026-04-11
MD5: d6fd3360597cb2429f4b0a3c4231a44e SHA-1: 60ac79d017cc60bf920270e1684ddcc1364a0917 SHA-256: b54371228b9a9657abe03b118247942d5b61370b36bbdd6027abc178b8a09e35
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an OpenAction that triggers navigation to a suspicious URL, http://canarytokens.com/traffic/images/89i5cfztcsfpq0pwkgc0dn61d/post.jsp. This is a common technique for phishing or redirecting users to malicious sites. No scripts were extracted, and the document body content is heavily obfuscated and unreadable, limiting further analysis of the exact intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0064

Heuristics 4

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • PDF links to a request-capture / data-exfiltration sink high PDF_EXFIL_SINK_URL
    PDF has a clickable HTTP(S) action whose destination is a request-capture / exfiltration endpoint (webhook.site, requestbin, beeceptor, pipedream, interactsh/OAST, burpcollaborator, canarytokens) or a throwaway tunnel (ngrok, trycloudflare). These services exist to receive arbitrary inbound requests, so they are essentially never a legitimate destination for a document link — the file is exfiltrating recipient/credential data or staging C2.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://canarytokens.com/traffic/images/89i5cfztcsfpq0pwkgc0dn61d/post.jsp PDF link annotation
    • https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.mdIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • https://docs.microsoft.com/typography/aboutWeightWidthOpticalIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000163f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x163F9 105388 bytes
SHA-256: 343b8d038104d5a355d2a4fff96b37c0752264dc9adc40fae2671b4997facd56
font_01_sfnt_off000300a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x300A3 19840 bytes
SHA-256: 89cb78b72afd79e8f860ff65c02ae7c7636a57ca8ac472a8f1d90be82d6b968a
font_02_sfnt_off00053cce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53CCE 51412 bytes
SHA-256: 80ba8a8bf77a4e2d2bc0f6ae812e7fb14604e8af32f643def31a326c4949814d

Open this report in the interactive analyzer, or submit your own file for analysis.