Malicious PDF — malware analysis report

Static analysis result for SHA-256 292e565bec6eac8e…

MALICIOUS

PDF

2.5 KB
MD5: 1e46c0fd7c468e45231563a0921945f4 SHA-1: 09f5f7a1febd7a04a5349e722871bc837388deb6 SHA-256: 292e565bec6eac8eb70a12163648759fb6d5532d0a3ccd6300253cd5b91ffdf2
108 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

This PDF file exhibits multiple high-severity heuristic firings, including PDF_EVAL and PDF_EMBEDDED_SCRIPT_PAYLOAD, indicating the presence of executable code. The ML classifier strongly flags it as malicious. While no specific script content is directly readable, the embedded file and eval() call suggest an attempt to download and execute a second-stage payload. The presence of XFA form elements further supports the exploitation vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
04462f810d6eacdacecc9d0a5f3f81bebc722af4415e04da19b520338f642b51		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xD7 67 bytes
embedded_file_obj0009.bin
173bd87906494960aa024c455d44b9a634f56efab750004116b9b7c1ed1590f8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x162 790 bytes
embedded_file_obj0010.bin
5d98c2ea191da557e61dfe6adc326252dcdf6dea39a59a0cdb162ec6ee173931		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x4C3 123 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.