Malicious PDF — malware analysis report

Static analysis result for SHA-256 001e10b3788297fa…

MALICIOUS

PDF

45.2 KB
MD5: 2c681f98d604a6403a73a850783cb103 SHA-1: 756e87c855e761a2795746640e473172d824087a SHA-256: 001e10b3788297fa48d344feee587a0cc586700c7975b076de809805c5f71660
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, flagged as a PDF JavaScript exploit cluster and associated with XFA forms. The JavaScript is heavily obfuscated, but its presence and the exploit cluster heuristic indicate it's designed to deliver a malicious payload. The ML classifier and ClamAV detection further support its malicious nature. The embedded URLs are related to XFA and Adobe, but their specific role in the attack is unclear.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9606

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
56665d2c35b941412ae83fdb121dff3c369622dc521637d1edb991067835222c		 pdf-javascript-stream PDF /JS object 12 at offset 0xA1ED 3366 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.