PDF malware analysis — malicious · 0a60f5efb4159fba

MALICIOUS

PDF

8.2 KB

MD5: 4ea1cd83cf8bc5217505ec079b8331b2 SHA-1: bd8bf2424d8adceec583ba7618552982759f6bf1 SHA-256: 0a60f5efb4159fbaa00676958e54b61875bc8ea09db227c4448abfb1de878053

146 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample triggered multiple high and critical severity heuristics related to JavaScript exploits and XFA forms, indicating it is designed to exploit vulnerabilities in PDF viewers. The presence of an OpenAction trigger further supports the likelihood of automatic code execution upon opening. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.