PDF malware analysis — malicious · 08a3c0f6f059444b

MALICIOUS

PDF

33.5 KB

MD5: 41a8a885f221c0d62a69e7c3ece9913f SHA-1: 0d94ed34fa4dead1a8e5040d2f485f41d73ebe71 SHA-256: 08a3c0f6f059444baaeba0699a2d2ce56ff653105625c953d5abf2d4c5f8743e

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains XFA (XML Forms Architecture) which is known to be vulnerable to heap spray attacks. The embedded JavaScript, identified as stream_000_off0000005b.js, likely contains the exploit code. Heuristic firings such as PDF_XFA_HEAP_SPRAY and ML_NYX_PDF_MALICIOUS strongly indicate malicious intent, with the JavaScript being the primary mechanism for executing the exploit.

Machine Learning

Nyx PDF Classifier malicious score 0.9922

Heuristics 8

XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY

PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/1.0/
- http://www.xfa.org/schema/xfa-template/2.4/
- http://www.xfa.org/schema/xfa-data/1.0/
- http://ns.adobe.com/xtd/
- http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_000_off0000005b.js` `268e45ec4327a78adafe152b3960d8c0af5044885bea7b72d2ce970862d427e3`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5B	84756 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.