Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0dd20db2a269f43…

MALICIOUS

PDF

102.9 KB Created: ÓQíÇíÇZÙGµsCvDÑ Q_÷ Authoring application: Çl%ž…±–†§Å]-OVþÙ (via ÖL ¿’ô¶›å!ÔS~6ÁfS ¾…)"^q² °) First seen: 2026-05-04
MD5: f611d658303fb1b38b764f3ef08d4704 SHA-1: 672fd25a514eaf9aa564fd659caa5f8a6e67bf86 SHA-256: f0dd20db2a269f4394bd53921f5a3d538b91cea78321a8cf7388000de34064fc
92 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0039

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
brshw.ex pdf-embedded-file PDF EmbeddedFile object 86 at offset 0x6608 14316 bytes
SHA-256: 644c7b91275e00ba78b3e543890579464f8cd229b3a403768dbc42ddaee96631
Detection
ClamAV: Win.Worm.FunnyPics-1
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=brshw.ex; kind=pdf-embedded-file
icc_00_off00004552.icc pdf-icc-profile PDF ICC profile at offset 0x4552 408 bytes
SHA-256: 653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f
icc_01_off00004678.icc pdf-icc-profile PDF ICC profile at offset 0x4678 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
embedded_file_obj0086.bin pdf-embedded-file PDF EmbeddedFile object 86 at offset 0x662D 14316 bytes
SHA-256: b731faf1d005c0dff01f908f594f0aa0938724c48552246d21c326e3c4e182ff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.