PDF static analysis report

Static analysis result for SHA-256 d00f4f1ce8a8b8ad…

SUSPICIOUS

PDF

2.31 MB Created: ‡nƒ7ªÞ üÏ$Õ/¿ªXqîgÚ Authoring application: ‚Ó3Ñ+'ӂ|U¾•pŠ?ÎÒI~ëyÍ,‚ (via ‚Ó3Ñ+'ʨ~•u–~ÿø Qxî) First seen: 2026-05-11
MD5: a522db7c6ef28c90efb7229b3a219d0a SHA-1: 46caf6fc662e155c6073db1a8211424e270c20c1 SHA-256: d00f4f1ce8a8b8ad0bbe3b830301c42387bae606a97ec388521ad4d65b79b473
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF is heavily obfuscated and encrypted, preventing full static analysis. Heuristics indicate it's an image-only lure with hidden links and an unusually high number of streams, suggesting complex obfuscation techniques. The presence of an AcroForm button with an action trigger further supports the likelihood of malicious intent, possibly to redirect the user or trigger an exploit.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3411

Heuristics 5

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.opencv.org.cn/images/2/21/OpenCV_ In PDF document text
    • http://anzeigen.automatisieren.orgIn PDF document text
    • http://www.intel.com/technology/computing/opencv/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_040_off00046b95.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x46B95 14921 bytes
SHA-256: 78023253210900f7be69ff6bdae1a72b7d20a652a40b5c48f90633cb96a12e8b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
246 of 395 identifiers look randomly generated (e.g. 'ebNH0e7NletIsoUNRULCjdN8xm5JNX82eW9Vt4ov') — consistent with name-mangling obfuscation.
stream_043_off0006b4f5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6B4F5 318662 bytes
SHA-256: a841827c92b327dd88f9e264dd87c023c26cdfb79d9c02c650cfe936f9208a6a
stream_045_off000931a1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x931A1 19630 bytes
SHA-256: 013ca40a3773e163e36a4b5461b4def3cbf1a48ff779c2521b22ba5a692ec379
Detection
ClamAV: No threats found
Obfuscation or payload: likely
434 of 609 identifiers look randomly generated (e.g. 'lZI33Xb9o9Mnnj3OToDWUHuBPyBTrSIjDYJHSm7H'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_096_off0020ba38.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20BA38 35738 bytes
SHA-256: dd5e4439432d2ea3e7f1869c39a05a2dc4bdb47deb0cb79a68b7fdf2fe10bdae
icc_00_off001b8a83.icc pdf-icc-profile PDF ICC profile at offset 0x1B8A83 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off001dcf7c.bin pdf-font-stream PDF embedded font (cff) at offset 0x1DCF7C 7449 bytes
SHA-256: e2b563aa0b30e34221330ac7156c2d585bb6962d616524791a96226cae2faa44
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_01_cff_off001de9ab.bin pdf-font-stream PDF embedded font (cff) at offset 0x1DE9AB 6506 bytes
SHA-256: 542060574573606a6f50880024c986abc3122029dd4cad15f33316f1c5194e67
font_02_cff_off001e0043.bin pdf-font-stream PDF embedded font (cff) at offset 0x1E0043 4535 bytes
SHA-256: b70c81e255f73887860477169f7fc84ceafaa9be402bc84e89492eec3ce8577e
font_03_cff_off001e10dd.bin pdf-font-stream PDF embedded font (cff) at offset 0x1E10DD 6491 bytes
SHA-256: 24e38b0b8c0d1ca50e75b1def1617149806b4f1b909710f57de32c2c171002f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_04_cff_off001e27be.bin pdf-font-stream PDF embedded font (cff) at offset 0x1E27BE 10064 bytes
SHA-256: 2f2bd95ba1ffca0cd37143f05b8c9ce6ab0b9fc59f6ec23587b9ac432198af5d
font_05_cff_off001ebcdb.bin pdf-font-stream PDF embedded font (cff) at offset 0x1EBCDB 6464 bytes
SHA-256: 78edcb660ab52a69de691a7e186f98b6940410d1a76f9229f6f5c162b52c7c9a
font_06_cff_off001edca0.bin pdf-font-stream PDF embedded font (cff) at offset 0x1EDCA0 3414 bytes
SHA-256: 539e9d614853b6f4baa3dcc0a881c1a5fe66f01f9b221cc4d1dec8e3d16c2d47
font_07_cff_off001ef535.bin pdf-font-stream PDF embedded font (cff) at offset 0x1EF535 1641 bytes
SHA-256: 594892873072d6b91cc4e10033bc978d1e6ba17ddea247723543979896a5bf2d
font_08_cff_off001efb87.bin pdf-font-stream PDF embedded font (cff) at offset 0x1EFB87 2489 bytes
SHA-256: 5874728a8a6eeee3593ca6605ce3d274c2aed297042817e94b62b808636b79bc
font_09_cff_off001f04ba.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F04BA 2271 bytes
SHA-256: 9113db7a2647860332e396c490384fe02a059224ac2d4b199ae987336ed5f088
font_10_cff_off001f0d3f.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F0D3F 2047 bytes
SHA-256: f9c4c02be1b13879b6b3d8ab32df0667df1c6c61d11a9a7926e1f78bf07de46e
font_11_cff_off001f14dd.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F14DD 3752 bytes
SHA-256: 245457c9423e116816b59f8c06e7a6dbb8cd72ede15ac728ef442de90bfafc4d
font_12_cff_off001f33ec.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F33EC 1847 bytes
SHA-256: 0dfd33b84b79ad17dc8529a895924f50015457277b4f634b9aef324d6ad573b5
font_13_cff_off001f3b08.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F3B08 1891 bytes
SHA-256: 70ab1d355e051483b3509daa02e34b832020ad533b7a869370feb299107e077b
font_14_cff_off001f7d54.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F7D54 4405 bytes
SHA-256: 15306d2b14de0a90102817cd6dee853201edc80cbd861285d2efea2becb8ab90
font_15_cff_off001f8d2f.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F8D2F 4988 bytes
SHA-256: a698ea37b2cd1808b38914a78bb7c9001d937ee3f57592ed7ec37d4754f64213
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_16_cff_off001fa44c.bin pdf-font-stream PDF embedded font (cff) at offset 0x1FA44C 4346 bytes
SHA-256: 8f62355fcbdaea4d5dcf990d3d20fbfb7b74129cc361e44d5456d4d3152de17d
font_17_cff_off001fb359.bin pdf-font-stream PDF embedded font (cff) at offset 0x1FB359 2161 bytes
SHA-256: 287c53f75c6ddfea99536e9538c79cb3d076c7f900f63fca00c5de288f727b2a
font_18_sfnt_off002044fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2044FE 24226 bytes
SHA-256: 20804eda330d00cece574729e24e848091d96f964e666176b68d4c38b91fe071
font_19_cff_off00216205.bin pdf-font-stream PDF embedded font (cff) at offset 0x216205 3213 bytes
SHA-256: aba3515739003567ac22377e014d37d05dc2248ac786b7d333ff62fac9c18026
font_20_cff_off00216e3a.bin pdf-font-stream PDF embedded font (cff) at offset 0x216E3A 6140 bytes
SHA-256: 79d30ebdeef73e5af567f92b552b071e1a9ced628206b23804ca5509a18b81ce
font_21_cff_off0021840b.bin pdf-font-stream PDF embedded font (cff) at offset 0x21840B 323 bytes
SHA-256: fe9e3939bc58cba68a30f48bebed2d4e3678389e684edbb81e54a4ccfc2d73d8
font_22_cff_off002186aa.bin pdf-font-stream PDF embedded font (cff) at offset 0x2186AA 2078 bytes
SHA-256: abdf9d1cd58beb161213ff34763a84f36c077a24a56a4e4d441bdfd6d7efb6ce
font_23_cff_off00218e24.bin pdf-font-stream PDF embedded font (cff) at offset 0x218E24 703 bytes
SHA-256: 0e58d8bad73959e33c65b06fa3541a91853ca09cabebc42a916b63ebf15696a1
font_24_cff_off00219143.bin pdf-font-stream PDF embedded font (cff) at offset 0x219143 2717 bytes
SHA-256: 0835c9d547fa76fa65a75df1490016e52f1d5929f06f53596e2216dee8829b67