Malicious PDF — malware analysis report

Static analysis result for SHA-256 0cb2a3a2278fa0f5…

MALICIOUS

PDF

19.2 KB
MD5: 6b3908efde3884ee5a2a01751bea2e23 SHA-1: fea4990597ef621d983dc734ca49a11e9fd3ac2b SHA-256: 0cb2a3a2278fa0f57b1041d6f876f96db15a1d89b0fc910962992b3dd4051bd3
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV and an ML classifier, indicating it exploits vulnerabilities for execution. The presence of embedded script payloads and embedded files strongly suggests it's designed to download and execute a secondary payload. While specific URLs were benign, the overall structure and heuristic firings point to a common exploit delivery pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • ClamAV: Pdf.Exploit.Dropped-78 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-78
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
59bc41e08d8966c9a77068b592d9d8b1a086711d2da9d64ee75f98a77a4db499		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC8 18936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.