Malicious PDF — malware analysis report

Static analysis result for SHA-256 b56e4522e6cfea25…

MALICIOUS

PDF

498.1 KB Created: 2026-04-28 22:55:07 +00:00 Authoring application: Chromium (via Skia/PDF m134) First seen: 2026-05-01
MD5: ea119f974d35fa6f016901274b9c4548 SHA-1: 7637a42235fa68c87348d9e3040b0e24bc4663e8 SHA-256: b56e4522e6cfea25a70594907997cb246a24bd1d9302450b42a21803cca1a07b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains an invisible link that redirects to an OAuth authorization URL, indicating a phishing attempt to steal user credentials. The heuristic 'PDF_OAUTH_REDIRECT_LINK_LURE' directly supports this. Additionally, a generic JavaScript exploit stage was recovered, suggesting the PDF is designed to deliver a secondary payload, though its exact function could not be determined due to obfuscation.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • Invisible PDF link uses OAuth redirector chain high PDF_OAUTH_REDIRECT_LINK_LURE
    PDF contains invisible link annotations whose URI is an OAuth authorization URL with a redirect_uri parameter leading into a known redirector/safelink chain. This is a common credential phishing shape: the PDF itself is inert, but the clickable area sends the user through trusted-looking redirect infrastructure to the collection site.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://account.piranya.dk/users/authorize?client_id=client_26b86420-5e76-49a4-99ed-a69081aae076&response_type=code&prompt=consent&scope=openid+profile+deployment&redirect_uri=https://link.photo.talk.zdn.vn/photolinkv2/720/aHR0cHM6Ly9tb2JpLndlYnNpdGVzY2FyZS5jb20vYXNzZXRzL2Nzcy9NRkp2WkVoU2QyTjVWWHBSVTFWNVVtbFZlVkp1TUZKdlpFaFNkMk41VlhwUlUxVjVVbWxWZVZKdU1GSnZaRWhTZDJONVZYcFJVMVY1VW1sVmVWSnVNRkp2WkVoU2QyTjVWWHBSVTFWNVVtbFZlVkp1TUZKdlpFaFNkMk41VlhwUlUxVjVVbWxWZVZKdQ==#?96774GapTname=YWNjb3VudHNAaGl0LWVxdWlwbWVudC5jb20uYXU=
    • https://account.piranya.dk/users/authorize?client_id=client_26b86420-5e76-49a4-99ed-a69081aae076&response_type=code&prompt=consent&scope=openid+profile+deployment&redirect_uri=https://link.photo.talk.zdn.vn/photolinkv2/720/aHR0cHM6Ly9tb2JpLndlYnNpdGVzY2FyZS5jb20vYXNzZXRzL2Nzcy9NRkp2WkVoU2QyTjVWWHBSVTFWNVVtbFZlVkp1TUZKdlpFaFNkMk41VlhwUlUxVjVVbWxWZVZKdU1GSnZaRWhTZDJONVZYcFJVMVY1VW1sVmVWSnVNRkp2WkVoU2QyTjVWWHBSVTFWNVVtbFZlVkp1TUZKdlpFaFNkMk41VlhwUlUxVjVVbWxWZVZKdQ==#?96774GapTname=YWNjb3VudHNAaGl0L
    • https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbeo.com%2F&data=05%7C02%7Crobin.paru%40Superbeo.com%7Cdf85005f04f440645dbd08de3e50ab93%7C6498400a7a134accb42c90f194c53e44%7C0%7C0%7C639016713352805487%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6SBcycnJWdZZI3NmUicc1msK0y%2B3Up2lEZ0xFzgUhJE%3D&reserved=0

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off00064a32.bin
c35d90884abbc715bcfa40dafbca91f609b44412ba9f4d167e9b5506c406d708		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x64A32 39124 bytes
stream_026_off00069c5f.bin
4a5e6b702164c65cdaf5bba2ed57a34d8ded5d4000881ac892f199399ea518f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x69C5F 28728 bytes
generic_stage_recovery_000.js
22117d57d07cee882e29e30d6fd691bad5729b8074d102b6e90dd241fae8b8f0		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0x5EAD3 at offset 0x5EAD3 16873 bytes
icc_00_off000000f9.icc
d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d		 pdf-icc-profile PDF ICC profile at offset 0xF9 536 bytes
font_00_sfnt_off0004fd62.bin
d3f37bfe18e0bac5b63659640c07359ab31235bef24066a97cc6b24d902d5a13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FD62 20740 bytes
font_01_sfnt_off00053623.bin
d476bafa1d1b651af86d6dbe093c67e9f26ff80451784cbed52a24b156683251		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53623 8920 bytes
font_02_sfnt_off00055073.bin
fc5e2c95ded0fa202798c557ec0ca4d819158d5a2b6c2d869433f750ac0895f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55073 8768 bytes
font_03_sfnt_off00056a32.bin
1d1c09d18fdf79a016e498d580fba26b9bdb1bac9231bb9cb5805abe0ff5ec61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56A32 13276 bytes
font_04_sfnt_off00058ef9.bin
a6ffca24d193b8cab6124f4d312bd8e72cd34d01e2e24b871ff2fcd864e3dc70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58EF9 5636 bytes
font_05_sfnt_off0005a1f2.bin
52954e07503f0dc9f8c88af081bd4b4e49d4e5627dc98ca587c45cc655aea433		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A1F2 17708 bytes
font_06_sfnt_off0005c98f.bin
43688e6f25098e3a7f12ee82fb62cde4ecb0268481223b3693f3b398638bb20f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C98F 13956 bytes
font_07_sfnt_off0005ead3.bin
1ca197d914d462fae4918703d9522f3b483cca0ee2de8f26c2beaf1f1778d8bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EAD3 21968 bytes
font_08_sfnt_off00062360.bin
550c4c8495b0dce414c28373d8b7b5af1de49cae5fd87db5286adcfe39fb0148		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62360 20652 bytes
font_11_sfnt_off0006d4a6.bin
37d5e0b8cccb5b8071ab194aff5dfa207687c7c47f293492049d5f42ebeea591		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4A6 133352 bytes
font_12_sfnt_off000746ac.bin
f0f805e08d0bac8dcbbc10b00ae610403d1918234f09c790357441e5793150b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x746AC 27528 bytes
font_13_sfnt_off000787c5.bin
39e1b09246af2230f643da2de690250f1846e6d10c2c9dab5197dad24cf8ad25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787C5 8424 bytes
font_14_sfnt_off0007a164.bin
737ce213b54f44b58ee868485fb34c902d2797685cf266918e4b870499de11ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A164 8788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.