Malicious PDF — malware analysis report

Static analysis result for SHA-256 211322bf9a921c78…

MALICIOUS

PDF

35.8 KB
MD5: b3e30cd1a98d458b8db75cb1c8439085 SHA-1: f0887def810fbe52b4c6136c7524057cf70ab6cf SHA-256: 211322bf9a921c785a062632cdc88acdfc7406c1d3880ff6664701fe06a8ac34
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The ML classifier strongly indicates this PDF is malicious. It contains embedded files and an embedded script payload, suggesting it's designed to exploit vulnerabilities or trick the user into executing malicious code. The presence of XFA form elements further supports its potential for exploitation. While no specific family is identified, the techniques point towards a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
1fe511a133bc2c684c00526a24e30fcd500ee1963510a08434dd4662110fad5c		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x138 672 bytes
embedded_file_obj0010.bin
1437654e7e7237e18383fec167d1f82c8f8df6106e65c1ca9e335ff80b7a42eb		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x41D 151 bytes
embedded_file_obj0011.bin
919311c4f3a5f8d631c55fffd296ccf550fdb5d7b4350edc85e72b711cfc5686		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x4F9 437 bytes
embedded_file_obj0012.bin
072090be5ea6c4a216543a1d4332d27d322264f3038bbd986db2a09048143a1c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F3 181 bytes
embedded_file_obj0014.bin
cc38b1ac750f33e4ae7be882187996ad48416fe2308016b0f8325ad85a4a4ec7		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7EE 33987 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.