Malicious PDF — malware analysis report

Static analysis result for SHA-256 191b6fa324bf48ae…

MALICIOUS

PDF

391.7 KB First seen: 2026-05-07
MD5: 0f73acd047e30b5f0fefdcc76b851865 SHA-1: ad1eef29cb7934db089c034b1b5dfa363c6742ae SHA-256: 191b6fa324bf48ae3ea33cc426994d56da120cf06ba6aa377a48f313b6358a74
122 Risk Score

🔏 Digital signature Modified after signing

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF was identified as malicious due to the presence of an embedded file, a common technique for delivering secondary payloads. The document is also encrypted, which hinders static analysis and suggests an attempt to conceal its contents. While several URLs were extracted, they were all confirmed as benign, and no scripts were found. The primary indicator of malicious intent is the embedded file, suggesting a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0979

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATION
    An incremental update appended AFTER the signed byte range introduces active content (/EmbeddedFile). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.passportcanada.gc.ca Referenced by PDF JavaScript
    • http://www.travel.gc.caReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.4/Referenced by PDF JavaScript
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xci/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
    • http://www.w3.org/2001/XMLSchema-instanceIn PDF document text

Extracted artifacts 22

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0022.bin pdf-embedded-file PDF EmbeddedFile object 22 at offset 0x3F31 85 bytes
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb
embedded_file_obj0023.bin pdf-embedded-file PDF EmbeddedFile object 23 at offset 0x3FE4 2438 bytes
SHA-256: 7ccc48f8f58ac63ac6b5ba4934921c3056e801b73072bc958798df1a9a7fdb09
embedded_file_obj0024.bin pdf-embedded-file PDF EmbeddedFile object 24 at offset 0x43D6 806003 bytes
SHA-256: d31e6245e4c7b07fc31834f673322a38026afc9599a1b482e4f6a87cb29e51b3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 118 eval/decoder/string-building token(s). 1059 of 2418 identifiers look randomly generated (e.g. 'MEo2iLAeHHDCGTloSkDA8OEjIHByvPIG9YgYM1NE'); 18 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 4 long base64-like blob(s).
embedded_file_obj0025.bin pdf-embedded-file PDF EmbeddedFile object 25 at offset 0x28787 7127 bytes
SHA-256: 13d61ac1626b97851db49da701ba0fde3c75ac0eda83dafcd927cd4ef4fc9d09
embedded_file_obj0026.bin pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x28BD0 6414 bytes
SHA-256: fa3be8779716b3b2d142392e3d65a967775688e2bded7c8f65f28a05db81d0b9
embedded_file_obj0027.bin pdf-embedded-file PDF EmbeddedFile object 27 at offset 0x290AD 2989 bytes
SHA-256: 7bc749464968c34bfa537812bf6073bbc3baa554e9c68109b32a271b3651868f
embedded_file_obj0028.bin pdf-embedded-file PDF EmbeddedFile object 28 at offset 0x29463 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
embedded_file_obj0029.bin pdf-embedded-file PDF EmbeddedFile object 29 at offset 0x2950F 26038 bytes
SHA-256: 3ce83b390287b2b57885b296f16d67b01d74eed73f80052e6b74aa062f2e93ba
javascript_obj0149_000.js pdf-javascript-stream PDF /JS object 149 at offset 0x42607 2795 bytes
SHA-256: 826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined")
   this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat";
ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update";
ADBE.Viewer_string_Update_Reader_Desc = "Adobe Reader 7.0.5";
ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Reader. Press OK to download the latest version or see your system administrator.";
ADBE.Viewer_Form_string_Reader_601 = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Reader_Older = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK for online download information or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_601 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_60 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. For more information please copy the following URL (CTRL+C on Win, Command-C on Mac) and paste into your browser or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_Older = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin.";
ADBE.Viewer_Form_string_Reader_5x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will open your browser to a web page where you can obtain the latest version.";
ADBE.Viewer_Form_string_Reader_6_7x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
ADBE.Viewer_Form_string_Viewer = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
javascript_obj0150_001.js pdf-javascript-stream PDF /JS object 150 at offset 0x428CD 870 bytes
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
   ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
   ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 7.0)
{
   ADBE.Reader_Need_Version = 7.0;
   ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 7.0)
{
   ADBE.Viewer_Need_Version = 7.0;
   ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
javascript_obj0151_002.js pdf-javascript-stream PDF /JS object 151 at offset 0x42A26 1532 bytes
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8
Preview script
First 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.1)
{
   if (app.viewerType == "Reader")
   {
      if (ADBE.Reader_Value_Asked != true)
      {
         if (app.viewerVersion < 6.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_5x, 1, 1) == 1)
               this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
            ADBE.Reader_Value_Asked = true;
         }
         else if (app.viewerVersion < 7.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_601, 1, 1) == 1)
               app.findComponent({cType:"App", cName:"Reader7", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
            ADBE.Reader_Value_Asked = true;
         }
         else
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_6_7x, 1, 1) == 1)
               app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
            ADBE.Reader_Value_Asked = true;
         }
      }
   }
   else
   {
      if (ADBE.Viewer_Value_Asked != true)
      {
         if (app.viewerVersion < 7.0)
            app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
         ADBE.Viewer_Value_Asked = true;
      }
   }
}
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x2015E 2902 bytes
SHA-256: c4930b7050e70e2da874cfad7223567ef4e89e78a4e07a02a20a37e1e538f25f
xfa_image_rawvalue_001.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x2E174 4516 bytes
SHA-256: 885d94abc364f92820dc4ceaa613135a17a2d58102daf32ccca532c25b875fd4
xfa_image_rawvalue_002.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x2FAD7 2923 bytes
SHA-256: 63565274e03c5a2c507f7833ed49576ab76751cf857c7cb4733e3777bab151fc
embedded_file_obj0067_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 67 at offset 0x18F18; filter decode failed 944 bytes
SHA-256: 2493d143500a7478fe93469c3eb87b80c7c90146881720baa5e5760b5271602d
embedded_file_obj0068_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 68 at offset 0x19325; filter decode failed 196576 bytes
SHA-256: d77891e7f87e32cdf35d04c0106579aed03895871291c23df5e550d1e2f37f16
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
embedded_file_obj0069_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 69 at offset 0x49360; filter decode failed 1024 bytes
SHA-256: cef6f0e47eed236504f6c39987ef93da6857f0f96d92af08df5cc1dbb1d5e035
embedded_file_obj0070_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 70 at offset 0x497BB; filter decode failed 1200 bytes
SHA-256: 0eb2a84155a026bcd17f4a7153e1846f670383cec4b093cf4cb5b167aea069bd
embedded_file_obj0071_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 71 at offset 0x49CC5; filter decode failed 880 bytes
SHA-256: 1d77a8501aef85e11083c9589ee0c40f686b49fb41912da8eb52c5e459d2f07f
embedded_file_obj0072_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 72 at offset 0x4A08F; filter decode failed 112 bytes
SHA-256: 5c63b57fa7986a093a0aeb9615402ba15c12613cba3501c456a719f99b855298
embedded_file_obj1485_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 1485 at offset 0x54872; filter decode failed 112 bytes
SHA-256: 3ac432b8b032a6bf2b5a5ad4426a741f09fb4c66fc3c3c746bb8aa82038a8125
embedded_file_obj1486_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 1486 at offset 0x5493F; filter decode failed 5680 bytes
SHA-256: 680722053b5a540638a7478b869920498f8491a30af6b1f2c5c5a393348706df
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.