Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f37ce95c4b38288…

MALICIOUS

PDF

464.0 KB Created: 2010-03-16 14:56:25 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2 First seen: 2026-05-11
MD5: f2237ef1f2e1158c7b81b22e432f67c7 SHA-1: 2b1e966e40714d71b2997b3b1827b3029da63b4b SHA-256: 1f37ce95c4b3828891d53748521a1eeb5a214cd5cf575fb6e61c17c25201dac5
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT heuristic. The ML_NYX_PDF_MALICIOUS heuristic also flagged the file with high confidence. While no specific URLs or scripts were directly extractable for detailed analysis, the presence of JavaScript and the ML classification strongly suggest the document is designed to execute malicious code, likely for downloading and executing further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 6

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x50B 1587 bytes
SHA-256: 444d6d82bf278239c586a47ac22b38bc52ef0567885d34677b63697694199d94
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x7FC 1131 bytes
SHA-256: b7a0d22ac75abe2687fb5f359888909250f2da2c07714300e3f996843b09f50d
embedded_file_obj0004.bin pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xAB8 3023 bytes
SHA-256: f6828dd1c2c33f5f9b3d297876597a713abd12a8e3a8bcc14eda8a62895139c5
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xE49 1147 bytes
SHA-256: cf065dc4fd2d15fa5738d48dc81edfceb1e16b432145bd109187b7245ff7b331
embedded_file_obj0058.bin pdf-embedded-file PDF EmbeddedFile object 58 at offset 0x73719 162 bytes
SHA-256: afc37dfd267afc85da413af5b7bc1e8f5d4bd93a706404932b8c311efda57b71
embedded_file_obj0059.bin pdf-embedded-file PDF EmbeddedFile object 59 at offset 0x7380C 263 bytes
SHA-256: 7cf53d1b73d36e3e106802f55ddf832413e6fd7f6cbb683494a84f88caad15b1
embedded_file_obj0060.bin pdf-embedded-file PDF EmbeddedFile object 60 at offset 0x7392F 1714 bytes
SHA-256: f77000e4c9a6b068d110e6af56cf50936305ee7b5f276601453a62e51af75b6b
temp.jpg pdf-embedded-file-undecodable PDF EmbeddedFile object 57 at offset 0xDCE2; filter decode failed 416221 bytes
SHA-256: 0adb91c493a53ef9671f08402ca860ef1f8bafeea715de64f952acca1c59fcfb
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x739B9 1126 bytes
SHA-256: 53c3280911c4a63151a3cf0a288ec12047b28c49d94c45981698577737286746
font_00_sfnt_off0000108f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108F 36717 bytes
SHA-256: 3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3