Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5876474b4468390…

MALICIOUS

PDF

259.4 KB Created: 2026-05-26 12:21:13 +00:00 Authoring application: Chromium (via Skia/PDF m134) First seen: 2026-05-28
MD5: 01aa559204b602dab065be179c0a6e3c SHA-1: 63df9978c0a942d3a5838f7a3a88fdc75964015e SHA-256: f5876474b4468390e9d1eaeac114dc864fa82ccd7bee600e05f699c12fd979e0
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • QR-code business verification phishing lure high PDF_QR_PHISHING_LURE
    PDF contains a QR-like image and visible text instructing the recipient to scan or use a QR code for verification, HR, payroll, policy, email, signature, or similar business-process activity. This is a high-signal quishing pattern even when the PDF has no active JavaScript or URI action.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00000113.icc pdf-icc-profile PDF ICC profile at offset 0x113 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off000303be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x303BE 26620 bytes
SHA-256: b6691c0273278182046471f269bd1ec6bb0a8f1f5f39392b6fdd0851b5effd35
font_01_sfnt_off00034a1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34A1D 39232 bytes
SHA-256: 397b7b52bb48c38d194863818bb82720e0151926ce0fbbab3f86d4505fb1e730
font_02_sfnt_off0003aaa5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3AAA5 15932 bytes
SHA-256: 25c6431c0d74545204580c4b2cb44682ec70729f42804ca992baf184606d4f05
font_03_sfnt_off0003d749.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3D749 18144 bytes
SHA-256: df49af669802daea85927e86d0f9e67f59c51f9d9b53bb2c198e91f760be82cb