Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d6173867afc5d3…

MALICIOUS

PDF

56.8 KB Created: 2025-05-15 04:57:40 +01:00 Authoring application: mPDF 6.0 First seen: 2026-06-28
MD5: 85259a1dd66acc3d991720dcbb9aa682 SHA-1: 14d964a767ca36898011b16ec97f709bf1146812 SHA-256: c5d6173867afc5d34875e57460ca3b04c93edf780118e3b7d8eb02fa8ea2dc71
72 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0019

Heuristics 4

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coachhire.com.au/confirm-order?qid=VFdwQmVVNVRNSGRPVXpCNFRsRTlQUT09Zkh4WlRFTlRVREF4TkRBeU5qa3o= PDF link annotation
    • https://coachhire.com.au/pdf_invoice.php?id=RWNtSm91bmV5fHw0MDI2OTM=&v=1747281459In PDF document text
    • https://coachhire.com.au/termsIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000021f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21F1 26192 bytes
SHA-256: 1a56ba1bf68f5240c6fa883f21c292901726c565d1d1da1bfb83f303f88bca2e
font_01_sfnt_off000058fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x58FD 27040 bytes
SHA-256: f02f0deeae9fc99e362302984d4b819ab41692b4540fcdc15039675d31c72694
polyglot_child_pdf_off0000000f.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xF 58171 bytes
SHA-256: 61776eb91a173fa35645470980b5fb9dca36160560d68e91d648cec23266c6a4

Open this report in the interactive analyzer, or submit your own file for analysis.