Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7d6faf97e074943…

MALICIOUS

PDF

211.7 KB Created: 2025-07-17 05:17:54 +00:00 Authoring application: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/136.0.0.0 Safari/537.36 (via Skia/PDF m136) First seen: 2026-06-10
MD5: 3ac0106aff7b644efb0a949141854653 SHA-1: 3e9e8f0e0c451b6b1da5849d3108c7d6daec7fd3 SHA-256: f7d6faf97e07494357c21eb2e3f5b3cb982df8f7035fd98711e01ea82abe5934
82 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://app-au.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=accountancy&url=https%3A%2F%2Faqmlrqk.oktnzypginc.es%2Fqdmc%40v1dwcD7v/*ar@guidepointsystems.com In PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000ad9e.icc pdf-icc-profile PDF ICC profile at offset 0xAD9E 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
font_00_sfnt_off000137ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x137AB 22076 bytes
SHA-256: de1347935d4704916148baab7e7d04e6718cf3a676ab17ad3d2644884c654eae
font_01_sfnt_off00016dc9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16DC9 34040 bytes
SHA-256: 5d90eb78209f4343b762ed06007b81f1c64de804f45014631f5f420a3c7f29df
font_02_sfnt_off0001c0b6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C0B6 40620 bytes
SHA-256: 6560a65aeaf0444bba800bcd9109f475b17f1ad40c73551ec2a89b1fb0d5e09a
font_03_sfnt_off000224a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x224A4 24612 bytes
SHA-256: 28b3b457d23ea16414f262508175b1a9872a8268350e451ee2dfd9066b23edd0
font_04_sfnt_off0002710e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2710E 22356 bytes
SHA-256: d387e7bb2244d5a8e7c4e0d6c98dd631d038e5992bf88057efc0ac38c54053f1
font_05_sfnt_off0002a7d8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A7D8 31164 bytes
SHA-256: f35ebda25d7cf3f0945bc2e5291406ae6d9cefc5ea0824b52554eb8e46c284c1
font_06_sfnt_off0002f353.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F353 36860 bytes
SHA-256: 9d01b0ab0e2fa8eac6a9844349aa34678d2668d215eccfde63f3fd5f2d860e50

Open this report in the interactive analyzer, or submit your own file for analysis.