Malicious PDF — malware analysis report

Static analysis result for SHA-256 d366c894611c6325…

MALICIOUS

PDF

45.7 KB Created: 2026-05-07 08:37:06 -07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ef12addcfa56cfa7f4f63d3a8503471b SHA-1: ff1292d6bfe4fcbff563f8cb2bfd35ab294ac847 SHA-256: d366c894611c63259edacd1627f6c3e040e331fc32c34b5340cd63f551a01aff
62 Risk Score

Malware Insights

MITRE ATT&CK
T1539 Steal Application Access Token T1056.004 Web Browser

The PDF document uses a lure consistent with credential phishing, impersonating a signing service to harvest user credentials or MFA codes. The embedded URL points to a Microsoft login authorization endpoint, likely intended to capture tokens or session information after a successful phishing attempt. No scripts were extracted from this sample.

Heuristics 3

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • External URI info PDF_URI
    PDF contains an external URL action
    URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=none&x-client-ver=8c5d86bc29696157932514ff29fe15e0&mkt=421ab9cba9c3f39abb92f1055c11b59f&scope=7f16960f32f6965667e0c6bd5cf3f2d5&t=1778168226&nonce=785b539e6c015b066a3c4dca6fe77c0d&s=7c17&response_mode=e0ac79eb87fd028e1d0dadf3bf143ea4&client_id=d7834cdd-6c96-4fb1-8f7e-0aec0e45a68f&state=6cb00a85c78c07cbc1d61fbd77b2751b%257Ca2FyaW4ua2F0aWNoQGF1bHRtYW4ub3Jn&response_type=d7200ede91af29f023b3e01964179751&ui_locales=59ec782e5da12d8d

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a02.bin
fc9c98e4cb0ba0896babd78dff8dfbd37e9a6816051d3851ebb28b0cb69c61f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A02 12648 bytes
font_01_sfnt_off00005cdd.bin
d9101d9b3491aefd934125c91667940c8e548c8e7705c521e895fb331100be70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CDD 11156 bytes
font_02_sfnt_off00006e05.bin
fea0a1c7537851f409c1c036a7d4b74e306d25bc72b26fd4a108e82eff92c959		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E05 15868 bytes
font_03_sfnt_off00008d53.bin
d8f0646c2b5f774a603864a4f8e6cc4773eded36e2e2e65266b2e4fc0c6179fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D53 17096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.