Malicious PDF — malware analysis report

Static analysis result for SHA-256 c610c5454b8e5c50…

MALICIOUS

PDF

558.7 KB Created: 2023-10-25 14:38:27 +02:00 Authoring application: LaTeX with hyperref (via pdf-lib (https://github.com/Hopding/pdf-lib)) First seen: 2026-06-28
MD5: 90bc128faefd119ebfeea26e7f4c712c SHA-1: b19a9d967eba95f654d4f4b044a9c2ace3afb391 SHA-256: c610c5454b8e5c508eb7b1d18075de4b7168092f565734d273fd04fd32e12205
132 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.1865

Heuristics 4

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.useplus.org/ldf/xmp/1.0/ In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://www.gimp.org/xmp/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://iptc.org/std/Iptc4xmpExt/2008-02-29/In PDF document text
    • http://www.ams.orgIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
EICAR.COM pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x166 68 bytes
SHA-256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
font_00_type1_off0000084b.bin pdf-font-stream PDF embedded font (type1) at offset 0x84B 13663 bytes
SHA-256: 7b3f746723a24d2bb3dd119e7c42a0319e46302f92feb34db30b752891bef56b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.