PDF malware analysis — malicious · dc3962b5ccd112d1

MALICIOUS

PDF

317.0 KB First seen: 2026-06-10

MD5: 3d4b50e72fe0597aa5a1d5afa65f8d00 SHA-1: e01e2c99d3d1b4c5ef73245266084a5109ed9e24 SHA-256: dc3962b5ccd112d1017e06646573f7786dfecf584ce23bb6142de684995af7ed

66 Risk Score

Machine Learning

Nyx PDF Classifier clean score 0.0005

Heuristics 5

MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
Document signing service impersonation lure medium SE_DOCUSIGN_LURE

Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://sayanconstruction.navigatechangedigital.de/6z7AN PDF link annotation
- https://nossmd.systemsgrowth.de/7DNKMIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000066a.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x66A	66162 bytes
SHA-256: `809427784ff0000d4332cf3e873cd19ea176ba447b9f7d5fd5804f63412a76b5`
`stream_009_off00009969.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9969	61516 bytes
SHA-256: `4bf02518cf2344f9323e5ae94744fea7ecd75a8f6b950e885cb8d9b6ba5ee680`
`stream_017_off0001569b.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1569B	63484 bytes
SHA-256: `68bc5a78a184a33187d634c100a366dbbd569349704d1327b06aa19b93e03eb0`
`font_00_sfnt_off000042d3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x42D3	49896 bytes
SHA-256: `902baceb3f20c80ad139f6da99c5b758d11366e8b2e698c35fc39bc0dc64a04b`
`font_02_sfnt_off00011bb4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11BB4	39698 bytes
SHA-256: `ca6060a99d6f73bec6ab9da200d930c98d4dfdf1840727627c4bd4aab19d8f79`
`font_04_sfnt_off0001d661.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1D661	39868 bytes
SHA-256: `dea7377876e31931dcc8a657acaf58a27a4fde21692fc33d4f68d352d3890373`
`font_05_sfnt_off000384f7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x384F7	47708 bytes
SHA-256: `b502a8ef08bbb224f6139eddf24b7bd8608822cf5dd75e6daa44f81246c765ae`
`font_06_sfnt_off0003fc92.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3FC92	26158 bytes
SHA-256: `1182b15b6ec08c71efbfe32b3b764480070298908a70714435eb5c4be92292b0`
`font_07_sfnt_off000457b3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x457B3	35280 bytes
SHA-256: `01e29d4d27dde833022d1059478f3b94cc128eafbd326b41025eb54beea7b5a9`
`font_08_sfnt_off0004b9c1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4B9C1	39538 bytes
SHA-256: `5e61f05c58a273c1d1c99fe0b2e0a923f952ed30b730a2570a2d1ff1ac568d02`

Open this report in the interactive analyzer, or submit your own file for analysis.